Frequently Asked Questions

Q: Why should I use Orthrus?
A: Orthrus provides the following advantages to available anti-virus software:

• Prevents intrusions of known and unknown malwares through Windows services and user applications using a patent-pending behavior analysis technique.
• Verifies all running applications and library modules.
• Detects when Rootkit malware consistently uses a background service.
• Simple and efficient, it is a more OS-compatible security application.
• ABSOLUTELY FREE to use on any individually owned system.
• Coexists with all other anti-virus, intrusion prevention and Rootkit detector applications as it written entirely in .net as a user-mode, out-of-band application.
• Easily customizable to a site-licensed corporate version.

Q: How does Orthrus work?
A: Orthrus patent-pending behavior analysis finds its basis in the following malware characteristics:

• How intrusions occur.
• How malwares hide themselves.
• How malwares make themselves difficult to remove.

Orthrus’ Rootkit detection is based on a simple .net programming technique:

• If a persistent Rootkit hides from Orthrus’ view, Orthrus will reveal its presence.
• If a Rootkit does not hide from Orthrus, it will be identified by a WNSC security analyst and quarantined.

Orthrus uses the .net Watcher technique to monitor the running processes, registries, and file system.  It is a non-invasive out-of-band technique (i.e. Orthrus does not intercept any kernel mode function calls) and it is designed to run as a background service to continuously protect your computer from malware intrusions.

Q: What is OrthNote.exe application?
A: It is a configuration and notification application with the following features:

• Allows you to reconfigure how the Orthrus application runs.
• Notifies you about malware intrusion and quarantine status.
• Allows you to determine the legitimacy of an executable and take appropriate actions against it.

Q: How do I change configuration using OrthNote.exe?
A: After you click the Configure button, the following window will appear. 

Click one of the items in the description section and then change its settings using the checkbox/textbox at the bottom.

Q: How do I use ViewEvents option in Orthnote.exe?
A:  After you click the ViewEvents button, the following window will appear.

Click one of the entries in the Image Path section to view the file information in the Description window.  The Status row in the Description tells you whether the executable has been verified, quarantined, or sent for verification.  The check boxes at the bottom give you the option to manually quarantine or permit an executable.

Q: How do I know my system is clean?
A:  If you do not receive an OrthNote warning message about a malware or Rootkit that cannot be quarantined, your system is clean.  If there are any unverified executables, they will be displayed in the Image Path section after you click the ViewEvents button.

Q: How do I verify the executables by myself using OrthNote.exe?
A:  You may right-click the executable path and click Internet Lookup to find references for this executable.

Q: How does a security analyst in WNSC identify a malware?
A:  A WNSC security analyst will look up file name references on the Internet to determine whether an executable is malicious.  The determination uses the following criteria:

• If there is no reference and vendor for this executable, it is classified as malicious.
• If there is a vendor or third-party reference to the executable, the file information is compared.  When the executable is obtainable from the vendor, its cryptographic hash will be calculated and compared with the one submitted to WNSC.
• If there are references citing this executable as malicious from other security web sites such as CastleCops (www.castlecops.com), it is classified as malicious.

Q: When OrthNote asks me to “restart machine to complete malware removal,” should I restart right away?
A:  Yes.  You should close all applications and restart the system.  If restarting the system right away is not possible in a server environment, you should examine the security events and make sure all malicious applications (.exe files) are no longer running.  This can be done via the Windows Task Manager program.  If malicious applications are still running, there is likely no other tool that can terminate it.  You should restart the system as soon as you can.     

Q: When OrthNote asks me to “contact your network administrator for assistance,” what should I do if I cannot get an administrator to help me?
A: If this message shows up immediately (or at the next restart of your computer) after you have installed Orthrus, it typically means that a malware (most likely a pre-existing Rootkit in a Windows 2000 or Windows VISTA system) needs to be removed by booting from another operating system--either from CD or from the secondary OS on a dual-boot machine. Please read the procedures in “Q: How do I remove malware by booting from an operating system CD?”

If this message is related to a Rootkit, you should try other Rootkit detectors first. See details in “Q: When OrthNote tells me ‘a Rootkit malware was found and could not be stopped, a manual removal is required, what should I do?”

In all situations, if you receive this message after you have installed and used Orthrus for some time, you should use the built-in Windows System Restore to recover your system from the malware infection. Please read the procedures in "Q: How do I use System Restore to remove a malware infection?"

Q: When OrthNote tells me “Orthrus is configured to remove malware manually,” what should I do?
A:  You should click the ViewEvents button to show all the malicious executables.  Click on each of them, and then check the Quarantine File box at the bottom of the window.  When you close the OrthNote application, malicious executables will be quarantined within a second.  You may re-open the ViewEvents option to review the events.

Q: When OrthNote tells me “a Rootkit malware was found and could not be stopped, a manual removal is required,” what should I do?
A:  Orthrus and OrthNote do not remove a pre-existing Rootkit malware on a Windows 2000 or a Windows VISTA system in the current version.  You should try free Rootkit detectors such as IceSword (by Xfocus Team, http://www.xfocus.net, English version http://www.antirootkit.com/software/IceSword.htm) or BlackLight (by F-Secure, http://www.f-secure.com/blacklight/blacklight.html) to identify them. 

In certain situations, the Rootkit is written such that IceSword and BlackLight do not flag them as a Rootkit.  When that happens, you should compare the processes list generated by the Rootkit detectors and to one generated by the Windows taskmgr.exe program.  The difference shown in the Rootkit detector’s output is the Rootkit process.

Q: When OrthNote tells me “Orthrus security application stopped”, what should I do?
A:  The message is typically displayed because of a missing or corrupted orthrus.dat configure file.  This file is normally hidden and read-only to prevent it from being altered or deleted.  You need to remove and reinstall Orthrus.

There are poorly written Rootkit malwares which cause many built-in system management applications as well as Orthrus to fail.  These are normally the pre-existing Rootkit malwares.  In these situations, if the operating system is Windows XP or Windows Server 2003, OrthNote will display an alert and request your permission to remove the Rootkit.  If the operating system is Windows 2000 or Windows VISTA, you should use the procedures described in the previous question to remove it.

Q: When OrthNote tells me “the malicious file could not be quarantined. No more removal attempt will be made,’ what should I do?
A:  Take the following steps to remove this malicious file:

• Identify the executable using the OrthNote ViewEvents option.
• Boot the computer from either a bootable CD or the secondary operating system in a dual-boot system.
• Remove the malicious file from the infected file system disk.
• If you are not an experienced network administrator, you should seek professional help from a computer consultant.

Q: How do I know if Orthrus has made a wrong determination and stopped a legitimate application?
A:  Examine the file information of the quarantined executable using the ViewEvents option. If you know and use the application that installed this executable, then Orthrus has made an incorrect determination.  This situation may happen to an application that is developed in-house and the programmer does not provide the manufacturer name correctly.

Q: How do I reverse Orthrus’ quarantine action?
A: You may permit this executable to run explicitly by using the OrthNote ViewEvents option.  The Permit checkbox is available only when the executable has been quarantined.

Q: How do I stop a legitimate but unwanted application?
A:  You should use the Add and Remove Program option in the Control Panel to remove the unwanted application.  If it is not available for removal or it cannot be removed successfully, you may use the OrthNote ViewEvents option to quarantine it.

Q: Windows VISTA prompts me about Orthnote.exe application when I log on, what should I do?
A:  You should click Continue to load the OrthNote program.  It is required for the successful operation of Orthrus application.

Q: Where can I find free Rootkit detectors?
A:  The following are two recommended and free Rootkit detectors:

• IceSword (by Xfocus Team, http://www.xfocus.net, English version http://www.antirootkit.com/software/IceSword.htm)
• BlackLight (by F-Secure, http://www.f-secure.com/blacklight/blacklight.html)

Q: How do I remove malware by booting from an operating system CD?
A:  You need to prepare a BartPE bootable live Windows CD/DVD first (http://www.nu2.nu/pebuilder/).  After booting from it, the original file system will be displayed as another drive letter.  You can explore the drive and add/delete files.  You will not, however, be able to open the registry files to remove unwanted registry entries.

Q: How do I use System Restore to remove a malware infection?
A: Open Windows Help and search for System Restore. Read the System Restore procedures and restore your system's configuration by selecting a Restore Point from before the malware intrusion happened. The date and time of the malware intrusion can be found in the ViewEvents option for a specific malware executable; it can also be determined through the time at which the OrthNote.exe application displays the malware intrusion warning message.

Q: How can I install an application when Orthrus treats it as a malware intrusion?
A: In rare occurrences, a legitimate application exhibits malware behavior during its installation and Orthrus will stop the install process. This generally happens when the application installer is located at a remote location. To successfully install this application, simply download the installer to your computer and then run the installer program again.

Q: Why do I have trouble logging off or shutting down my computer After Orthrus is installed?
A: This situation occurs if you are using a Windows 2000 operating system and the OrthNote.exe application is open when you initiate the logoff or shutdown process. You should close OrthNote.exe application before logoff / shutdown, or issue the logoff / shutdown command again.

Q: What should I do when I have trouble updating Orthrus to the newer version?
A: Try uninstalling the old version first and then install the current version from http:/www./wnsc1.com website. Updating issues may sometimes occur on machines with a VISTA operating system installed.

On Windows XP machines with the “fast user switching” feature enabled, you may need to log on as the user who installed the original Orthrus application and then install the new version by using either the update option (when you see an update reminder message) or the Free Orthrus Download option at http://www.wnsc1.com website.