New Microsoft SDL (and malware analysis) tool

Microsoft released a new SDL tool to check the presence of attack vectors introduced by a program. Some of the attack vectors it checks include open sockets, services running by default, weak ACLs, dynamic web pages, ActiveX enabled, and enabled guest accounts. Based on the presence of these attack vectors, it identifies the changes and reports them.

Some of things we can do with the tool include,

• Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
• IT Professionals to assess the aggregate Attack Surface change by the installation of an organization's line of business applications
• IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews

But, in my opinion, the most use of the tool would be in malware analysis and incident response. The tool allows you to take snapshots of a system, which would be the baseline and compare it with another snapshot, enabling you to detect changes such as additional files, registry keys, services, ActiveX controls, listening ports, access control lists, and other parameters.  It enables the investigator to see the effect of a malware or other legitimate programs on a system.

The tool can be downloaded from here.