Curing Commands

Once you receive the system status report, you can analyze the data (see Search and Analyze) using filters, apply actions to selected threats, and create a curing FixIt! tool with a specified curing script.

Figure 14. Creating a curing FixIt! tool

Figure 14. Creating a curing FixIt! tool

You can add curing commands to the script manually. Commands correspond to object types.

Below, you will find all the available curing commands. I can also view a list of these commands directly in the service. To do this, click commands Commands on the FixIt! tool tab.

Anti-rootkit scanner

Command

Description

disinfect <ID>

Cure the system object that has the specified internal identifier. It is usually applied to objects of the Non-signature detections type. The identifier is assigned to the object while generating a report.

Example:

disinfect "10b2e828339cae479b1e5310b5980b717b7bcc57"

disinfect-reg <ID>

Cure the registry startup item that has the specified internal identifier. It is applied to objects of the Scheduled tasks type. The identifier is assigned to the object while generating the report.

Example:

disinfect-reg "629387a5dbc86d60842f12af5c43ffa5816140cc"

ark-disinfect --imagepath <Path> / --sha256 <Value>

Neutralize the active object that has the specified parameter.

If Path is specified, the file at the specified location will be deleted. The corresponding processes will also be stopped, if it is an executable file.

If you specify a SHA256 value, the system will search for files with that hash among active processes. If any files are found, they will be deleted. The corresponding processes will also be stopped.

Example:

ark-disinfect --sha256 "71b969b079beba0db952399b918cdb6781aa5b5a1c3295129df92a0dd0fa457f"

Script commands

Command

Description

Signature detections

cure-file <Path>

Cure the file that has the detected threat signature.

Actions (such as deleting, curing the content, replacing it, and additional system actions) are defined by the signature detected in the file. File location, its activity in the system, etc. are considered when curing by deleting. Additional actions such as pending delete, cleaning up startup items, blocking path till restart, etc. are performed if necessary.

If the file is clean when invoking the command, nothing happens.

Example:

cure-file C:\Windows\System32\malware.exe

File system

fs-move <Source> <Destination>

Move or rename the file or directory.

If Destination is an existing directory, Source will be moved to Destination. Otherwise Source is renamed to Destination.

Example:

fs-move c:\con c:\lpt1

fs-remove <Path>

Delete the file or directory with the specified path.

All remaining links between the object and other elements in the system will be specified at the end of the report.

Example:

fs-remove c:\con

fs-reset-acl [-r] <Path>

Set parent ACL for the file or directory.

If the -r option is specified, ACL is set recursively for each file and subdirectory.

If setting the ACL fails for the specified directory, the recursive traversal is stopped for the directory to avoid incorrect ACL setting for child elements.

Example:

fs-reset-acl -r c:\test1\test2

fs-clear-ads <Path>

Delete all ADS of the file or directory.

Example:

fs-clear-ads C:\windows\explorer.exe

Registry

reg-remove <SID> <Key path> [<Value>]

Delete a value or key. <SID> is a profile specified in the registry.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

All remaining links between the object and other elements in the system will be specified at the end of the report.

Examples:

reg-remove HKLM SOFTWARE\Test

reg-remove HKLM SOFTWARE\Test Value

reg-set-value [-f] <SID> <Key path> <Value name> <Type> <Value data>

Set a value for the specified key. <SID> is a profile specified in the registry.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

If the -f option is specified, parent keys are created (if they do not exist) and the key is overwritten with the new type.

To specify REG_SZ or REG_EXPAND_SZ type values, the string format is used.

To specify REG_BINARY or REG_MULTI_SZ type values, the binary format is used.

To specify REG_DWORD or REG_QWORD type values, the numeric format is used.

Examples:

reg-set-value -f HKLM SOFTWARE\Test TestSZ REG_SZ "Test"

reg-set-value -f HKLM SOFTWARE\Test TestBINARY REG_BINARY "5300530044005000530052005600"

reg-set-value -f HKLM SOFTWARE\Test TestDWORD REG_DWORD 0x1

fs-reset-acl [-r] <Key path>

Set parent ACL for the key.

If the -r option is specified, ACL is reset recursively for each subkey.

If setting the ACL fails for the specified directory, the recursive traversal is stopped for the directory to avoid incorrect ACL setting for child elements.

Example:

reg-reset-acl -r HKLM SOFTWARE\Test

Processes

proc-dump [-f] --pid <PID> / --imagename <Name> / --imagepath <Path> / --cmdline <Command line>

Generate a short or full (-f) memory dump for a process that meets given criteria. A dump is created in the temporary directory and then stored in the artefacts during report generation.

Examples:

proc-dump --pid 4123

proc-dump -f --imagepath C:\tools\procexp.exe

proc-dump -f --cmdline C:\test\procexp64.exe

proc-execute [-w] <Path> [<Arguments>]

Start the process at the specified path with the specified arguments. In the path, system variables can be used. Adding the -w flag makes the command wait until the process is done.

Example:

proc-execute c:\Windows\System32\win32calc.exe

Examples with system variables:

proc-execute %TEMP%\sample.exe

proc-execute \\/?\%windir%\notepad.exe

proc-kill --pid <PID> / --imagename <Name> / --imagepath <Path> / --cmdline <Command line>

Terminate the specified process.

Example:

proc-kill --imagename win32calc.exe

proc-suspend --pid <PID> / --imagename <Name> / --imagepath <Path> / --cmdline <Command line>

Freeze the specified process.

Example:

proc-suspend --imagename win32calc.exe

Services

svc-start <Name>

Start the service with the specified name.

Example:

svc-start TestService

svc-stop <Name>

Stop the service with the specified name.

Example:

svc-stop TestService

svc-delete <Name>

Delete the service with the specified name.

Information about remaining references (service-related files) is added to the end of the report.

Example:

svc-delete TestService

svc-control <Name> <Control code>

Send the control code to the service with the specified name.

Example:

svc-control TestService 3

Scheduled tasks

task-run <Path>

Start the task with the specified name.

Example:

task-run \Microsoft\Windows\TestTask

task-delete <Path>

Delete the task with the specified name.

Information about unprocessed references from the object to files is added to the end of the report.

Example:

task-delete \Microsoft\Windows\TestTask

Layered service providers

lsp-delete <GUID>

Delete registered providers with the specified GUID.

Example:

lsp-delete {f9eab0c0-26d4-11d0-bbbf-00aa006c34e4}

Namespace service providers

nsp-delete <GUID>

Delete registered providers with the specified GUID.

Example:

nsp-delete {6642243a-3ba8-4aa6-baa5-2e0bd71fdd83}

WMI providers

wmi-delete-eventconsumer <Namespace> <Class> <Name>

Delete a WMI EventConsumer object from a specified namespace.

Example:

wmi-delete-eventconsumer ROOT\subscription CommandLineEventConsumer CommandLineTemplate

wmi-query <Namespace> <Query> <Values>

Run a WMI query and write returned values to a log.

Example:

wmi-query root\cimv2 SELECT * FROM Win32_Process Name,ProcessId,CommandLine,ThreadCount,WorkingSetSize

HOSTS file

hosts-clear <Path> <String> [<Strings>]

Comment out ("#" + line) the specified strings from the HOSTS file. Numbering starts with 1.

Example:

hosts-clear c:\Windows\System32\drivers\etc\hosts 44 45 46

hosts-default <Path>

Restore the standard HOSTS file for the system.

Example:

hosts-default c:\Windows\System32\drivers\etc\hosts

hosts-cure <Path>

Check all entries in the HOSTS file and comment out those that contain malicious IP addresses. The command also adds the entry # cured by Dr.Web.

Example:

hosts-cure c:\Windows\System32\drivers\etc\hosts

Browser extensions and configuration

chromium-remove-ext <Browser> <SID> <Profile> <Extension ID>

Remove the browser extension for the specified profile.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

Examples:

chromium-remove-ext Chrome S-1-5-21-120241661-1916511805-682617159-1001 default geadmilgigoffmcnlfdlpihockonlopf

chromium-remove-ext Opera S-1-5-21-120241661-1916511805-682617159-1001 "" geadmilgigoffmcnlfdlpihockonlopf

firefox-remove-ext <Browser> <SID> <Profile> <Extension ID>

Remove the browser extension for the specified profile.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

Example:

firefox-remove-ext Firefox S-1-5-21-120241661-1916511805-682617159-1001 default default-theme@mozilla.org

chromium-clear <Browser> <SID> <Profile> <URL>

Remove the URL from browser configuration for the specified profile.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

Example:

chromium-clear Chrome S-1-5-21-120241661-1916511805-682617159-1001 Default malware.com

firefox-clear <Browser> <SID> <Profile> <URL>

Remove the URL from browser configuration for the specified profile.

The possible values for <SID> are: .DEFAULT, HKLM, HKCU, HKU, and values starting with S-1-5.

Example:

firefox-clear Firefox S-1-5-21-120241661-1916511805-682617159-1001 default malware.com

Dr.Web

drweb-remove

Remove Dr.Web software and/or all of its traces from the system.

Example:

drweb-remove

Users

user-delete <User name>

Delete a specified user in a workstation.

System

reboot [-f]

Reboot the system with a 1-minute countdown timer in a system dialog box. The command will stop the generation of a report.

shutdown [-f]

Shut down the system with a 1-minute countdown timer in a system dialog box. The command will stop the generation of a report.