Stinger

---

How do you use Stinger?

Trellix Stinger utilizes next-generation scan technology, including rootkit scanning, and scan performance optimizations. It detects and removes threats identified under the "Threat List" option under Advanced menu options in the Stinger application. Stinger now detects and removes GameOver Zeus and CryptoLocker.

To use Trellix Stinger:

1. Download the latest version of Stinger.
2. When prompted, choose to save the file to a convenient location on your hard disk, such as your Desktop folder.
3. When the download is complete, navigate to the folder that contains the downloaded Stinger file, and run it.
   
4. The Stinger interface will be displayed.
5. By default, Stinger scans for running processes, loaded modules, registry, WMI and directory locations known to be used by malware on a machine to keep scan times minimal. If necessary, click the "Customize my scan" link to add additional drives/directories to your scan.
6. Stinger has the capability to scan targets of Rootkits, which is not enabled by default.
7. Click the Scan button to begin scanning the specified drives/directories.
8. By default, Stinger will repair any infected files it finds.
9. Stinger leverages GTI File Reputation and runs network heuristics at Medium level by default. If you select "High" or "Very High," Trellix Labs recommends that you set the "On threat detection" action to "Report" only for the first scan.
   
   
   
   To learn more about GTI File Reputation see the following KB articles
   
   KB 53735 - FAQs for Global Threat Intelligence File Reputation
   
   KB 60224 - How to verify that GTI File Reputation is installed correctly
   
   KB 65525 - Identification of generically detected malware (Global Threat Intelligence detections)

 

Download Stinger

Builds below are for ePO administrators and 64-bit systems.

Frequently Asked Questions

Q: I know I have a virus, but Stinger did not detect one. Why is this?
A: Stinger is not a substitute for a full anti-virus scanner. It is only designed to detect and remove specific threats.

Q: Stinger found a virus that it couldn't repair. Why is this?
A: This is most likely due to Windows System Restore functionality having a lock on the infected file. Windows/XP/Vista/7 users should disable system restore prior to scanning.

Q: Where is the scan log saved and how can I view them?
A: By default the log file is saved from where Stinger.exe is run. Within Stinger, navigate to the log TAB and the logs are displayed as list with time stamp, clicking on the log file name opens the file in the HTML format.

Q: Where are the Quarantine files stored?
A: The quarantine files are stored under C:\Quarantine\Stinger.

Q: What is the "Threat List" option under Advanced menu used for?
A: The Threat List provides a list of malware that Stinger is configured to detect. This list does not contain the results from running a scan.

Q: Are there any command-line parameters available when running Stinger?
A: Yes, the command-line parameters are displayed by going to the help menu within Stinger.

Q: I ran Stinger and now have a Stinger.opt file, what is that?
A: When Stinger runs it creates the Stinger.opt file that saves the current Stinger configuration. When you run Stinger the next time, your previous configuration is used as long as the Stinger.opt file is in the same directory as Stinger.

Q: Stinger updated components of VirusScan. Is this expected behavior?
A: When the Rootkit scanning option is selected within Stinger preferences – VSCore files (mfehidk.sys & mferkdet.sys) on a Trellix endpoint will be updated to 22.x. These files are installed only if newer than what's on the system and is needed to scan for today’s generation of newer rootkits. If the rootkit scanning option is disabled within Stinger – the VSCore update will not occur.

Q: Does Stinger perform rootkit scanning when deployed via ePO?
A: We’ve disabled rootkit scanning in the Stinger-ePO package to limit the auto update of VSCore components when an admin deploys Stinger to thousands of machines. To enable rootkit scanning in ePO mode, please use the following parameters while checking in the Stinger package in ePO:

--reportpath=%temp% --rootkit

For detailed instructions, please refer to KB 77981

Q: What versions of Windows are supported by Stinger?
A: Windows 2008 R2, 7, 8, 10, 2012, 2016, RS1, RS2, RS3, RS4, RS5, 19H1, 19H2, 20H1, 20H2, 21H1. In addition, Stinger requires the machine to have Internet Explorer 8 or above.

Q: What are the requirements for Stinger to execute in a Win PE environment?
A: While creating a custom Windows PE image, add support for HTML Application components using the instructions provided in this walkthrough.

Q: How can I get support for Stinger?
A: Stinger is not a supported application. Trellix Labs makes no guarantees about this product.

Q: How can I add custom detections to Stinger?
A: Stinger has the option where a user can input upto 1000 MD5 hashes as a custom blacklist. During a system scan, if any files match the custom blacklisted hashes - the files will get detected and deleted. This feature is provided to help power users who have isolated a malware sample(s) for which no detection is available yet in the DAT files or GTI File Reputation. To leverage this feature:

1. From the Stinger interface, go to the Advanced → Blacklist tab.
2. Input MD5 hashes to be detected either via the Enter Hash button or click the Load hash List button to point to a text file containing MD5 hashes to be included in the scan. SHA1, SHA 256 or other hash types are unsupported.
3. During a scan, files that match the hash will have a detection name of Stinger!<first 12 characters of the MD5 of the detected file>. Full dat repair is applied on the detected file.
4. Files that are digitally signed using a valid certificate or those hashes which are already marked as clean in GTI File Reputation will not be detected as part of the custom blacklist. This is a safety feature to prevent users from accidentally deleting files.

Resources

Release Notes