Frequently Asked Questions - ThreatCHECK

ThreatCHECK monitors what IP addresses your computer is talking to by repeatedly running the ‘netstat’ command utility for a fixed period of time. This is a totally passive action that has no effect on communications to or from the computer.

When the time period is over, the ‘View full report’ option uploads the data to ThreatSTOP’s website where we cross correlate it with our database to find out if we know anything about the IP addresses your computer has been talking to. We store that data for 2 weeks so you can share it with others or revisit it for reference, then we delete it. After the first time you view the report, you will need to register with us (just a valid email address) to see it again. We do that primarily to stop abuse of our system.

Millions of computers around the world are infected with malware (sometimes known as trojans or bots) that take control of the computer without the user's permission, spy on the user's activities or steal the user's private data.

If you run ThreatCHECK you can find out if you have a bot on your computer and hence you can prevent cybercriminals from stealing your financial data and identity, committing fraud against you and other crimes. This can save you thousands of dollars and lots of hassles in restoring your online data and identity. Get a peace of mind that you are NOT talking to cybercriminals.

If you are on a corporate network, it’s even worse. The entire network can be compromised if your computer is “botted”, and the cost of data loss, remediation, and even fines from failing to comply with data security regulations can run in the millions.

Download ThreatCHECK

Download ThreatCHECK by clicking the download button, and double click on the file to run it. Press OK if you get a security warning like the one shown below
Security Warning

Run ThreatCHECK for short, standard or extended times (see question below for which to choose) in the background while it discovers the IP addresses your computer is connected to. ThreatSTOP runs a query of those IPs on our database of known malware sites and compiles a report for you. You can see the report by clicking on "View Full Report". An example of a full report is here with all the features explained.

The Short test runs for 15 minutes which is generally long enough to catch the more noisy bots – and is quite long enough to check whether a particular website is trying to download malware onto your computer. It is probably not long enough to capture more stealthy sorts of attack. The standard test runs for one hour which is generally enough to catch most bots and other malware.

The extended test runs for 6 hours which is likely to produce a very large list of IP addresses if you run it while the computer is in use. On the other hand if you run it overnight, say, it gives you a good feel for what things your computer may be doing when you aren’t doing anything which is a great way to find the most stealthy forms of malware.

Tip: You can always choose the extended test and then stop it when you think you have gathered enough data

There are a couple of options that can be specified if you run threatCHECK from a command prompt.

These can be used by advanced users to automate its actions:

/t N run for N minutes
/a
upload data to ThreatSTOP automatically once the time is up
/n skip the check to see if there is an updated version of the software

The ‘save to file’ and ‘copy to clipboard’ options are also useful to feed the same IP address data to some other application than ThreatSTOP’s database.

The result page tells you what IP addresses in our database your computer has been communicating with. Not all of these are necessarily bad - particularly if the only information is a country. For example communicating with IP addresses in Estonia may mean you are using Skype (which has some servers there) and communicating with the Czech Republic may just mean your anti-virus is looking for an update (both Avast and AVG originate in the Czech Republic). However if the IP address is listed as being known for something other than a country then that could be more problematic.

Take a look at our sample page to see what a really worrying report might look like and to get more explanation about what it means.

If your report shows nothing suspicious, you don't need to do anything. You should run ThreatCHECK periodically to ensure that your computer is still clean, as it is constantly being bombarded by cybercriminals. On the other hand, if you do have suspicious connections or a confirmed infection, then you should investigate further and possibly seek help.

If you are in a corporate environment you should contact your IT help desk for help. If not, the next section lists some tools you can use to clean up bots.

Microsoft and many antivirus companies have specific removal tools for some bots (e.g. this page from Symantec or this one by eset). In addition we recommend Malwarebytes (http://www.malwarebytes.org/ ) as a good general tool.

Other sources of help:

However you should be aware that in many cases it is safer (and quicker) to back up critical data and then totally reinstall / reimage the machine.