Read below to get started, or skip straight to a sub section by clicking the links to the left or at the bottom of this page.
Items appearing in BLUE deserve your attention, but are not 'wrong' in any way, they are merely worthy of your attention, for example in the picture the IP address appears in BLUE, because it is STATIC, something you should know about when working on a system. If the IP were DHCP, it would appear in BLACK with everything else.
Items appearing in RED means there is something wrong. The RAM may appear in red when maxed out, for example. The OS may appear in RED when the service pack level is detected as not being up to date, or it is detected as having a pirated product key.
Clicking on the IP address will bring up a form with NIC properties, allowing you to change them or export/import IP Address and/or DNS profiles!
The OS label displays the Windows version, service pack level, 32/64 bit, and the edition if it can be determined, which can help you in the event you need to re-install Windows and need to know which CD to use! MAP in this example means "Microsoft Action Pack" - you will also see "OEM" most frequently, "Vol", "Retail", "Upgrade", "Technet", "MSDN", combinations like "NFR/Retail" (NFR=Not For Resale), "Tablet/OEM", a few others, and of course "Unknown"...
Update: new "Vol/Pirated!
" (starting with D7 v4.1 which detects pirated product keys according to this MSKB
The IE label displays the version of Internet Explorer.
The Net: label displays "Connected" when D7 can successfully ping google.com
The Close with Options button:
This button brings up the above prompt, which allows you several options to close D7:
- Close and Remove Shell Extensions - This is the same as clicking the Close Now button to the right.
- Close and Delete this App and All Tools - This closes D7, removing all settings and configuration as above, but also it will delete the entire directory D7.exe is located in, and all files within. Useful if D7 is on your client's PC (not your flash drive) and you wish to remote D7 from the PC when done working.
- Close and Password Protect this App - This option closes D7 with the normal shutdown procedure, removing all settings and configuration as above, but password protects D7 from being launched again. Useful for those techs who like to leave D7 on the client's PC (perhaps in a \Support directory) so they for future use, but want to password protect the app in case the client were to find it one day and try to execute it.)
The bottom Status Bar displays Idle... (or a system message) when D7 is not doing anything specific, or naturally it displays the operation performed while D7 is doing something. The system message is retrieved when D7 checks for updates, and is just whatever I want to communicate to you at the time. It may be an advert for dSupport, or a Happy Holidays text, or an alert of some sort that I want you to be aware of. The system message cannot be displayed if you do not allow D7 to check for updates, however you can also disable the system message in D7 > D7 Config even when you allow D7 to check for updates.
General behavior notes
- D7 launches random filename executables!??!
- D7 launches certain malware related applications (e.g. Combofix, TDSSKiller, Autoruns, etc.) by first randomizing the filename of the executable - just in case you are facing the malware that terminates known anti-malware apps.
- D7 adds itself to the HKLM\...\RunOnce registry key?
- D7 likes to start when the system does, for many purposes in various D7 functionality, but also for convenience.
- D7 doesn’t want to be permanent, so it uses RunOnce
- D7 removes itself from the RunOnce Key when you hit the CLOSE button or the CLOSE and Delete … button, or the force shutdown from the reboot menu.
- Clicking the X at the top of the D7 Window does not remove it from the RunOnce key, nor does the force restart from the reboot menu. D7 (or rather, I) assumes that if you restart the machine, you want to restart D7.
Rename functionality and behavior
- Obviously renames a file or directory. This is useful if you aren’t sure if the file is malicious.
- Objects renamed have a .RENAMED extension
- Unless the button specifically says "Rename Only" then a dummy file or directory will be created in it’s place. More on this in the next topic on D7’s delete functionality.
Delete functionality and behavior
- D7 always attempts to send a file to the recycle bin first. This is the default behavior but can be changed in D7 > D7 Config.
- D7 makes multiple attempts at deleting stubborn files and the operation can take longer than expected, because in between deletion attempts D7 attempts to remove open file handles to files like .DLL files, and attempts to terminate processes in the case of EXE files. THIS CAN BE DANGEROUS. YES, D7 will easily delete some live running malware, and most legitimate Windows components as well (if you tell it to!!!) BE VERY CAREFUL!
- If D7 repeatedly fails deletion attempts, it prompts you with an option to do a few optional tasks such as attempt to delete the file on reboot and Rename with a Dummy.
- The theory behind Rename with a Dummy is simple. If you have malware.exe running, and you can’t delete it without it respawning, then rename it. Next, create a dummy directory with the same name as the file - the file cannot be recreated if there is a directory of the same name (because technically, a file and a directory are really the same type of object as far as Windows is concerned.) The same goes for files, where a dummy file is created to prevent a directory from being created.
- Blacklisting - Just a note that blacklisting an item in D7 (or the Add to Malware List function in the shell extensions bit) does automatically delete the item as well.