Skip to content

2171001/Obliviscan

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Obliviscan

Obliviscan is a comprehensive PowerShell-based malware scanning, removal, and system-hardening script designed to secure Windows systems. It utilizes Windows Defender for scanning, flags and removes detected threats, unlocks BitLocker-encrypted drives for full scanning access, cleans up unnecessary files, and applies additional security measures.

Comprehensive Malware Scanner and System Hardening Script

This PowerShell script provides a robust solution for scanning your Windows system for malware, repairing file integrity, cleaning up unnecessary files, and applying essential security hardening. It combines features such as rootkit scanning, Windows Defender antivirus checks, and system cleanup with enhanced security measures, including Windows Firewall and exploit protection.

Table of Contents


Features

  • Administrator Check and Auto-Relaunch: Ensures the script runs with administrator privileges by auto-relaunching with elevated permissions if necessary.
  • Malware Detection and Removal: Uses Windows Defender to scan for and remove various types of malware, including:
    • Boot sector virus
    • Macro virus
    • Program virus
    • Multipartite virus
    • Encrypted virus
    • Polymorphic virus
    • Metamorphic virus
    • Stealth virus
    • Armored virus
    • Hoax virus
  • BitLocker Support: Detects and unlocks BitLocker-encrypted drives to ensure they are scanned.
  • System Cleanup: Cleans temporary files, user temp files, and Windows Update cache, with retry logic for files actively in use.
  • System Security Hardening: Applies key security settings, including:
    • Enabling Windows Firewall
    • Enabling Secure Boot (if supported by hardware)
    • Applying exploit protections (DEP, SEHOP, ASLR, and more)
  • Conditional Admin Prompt: Automatically prompts for administrator privileges only if the script is initially run without them. The script relaunches with elevated permissions, and the PowerShell window remains open for review after completion.
  • Advanced Exploit Mitigations: Enables system-wide protections such as DEP, SEHOP, CFG, and more to safeguard against memory-based attacks.
  • Credential Guard and VBS: Protects sensitive credentials and strengthens system security using virtualization-based security.
  • Memory Integrity (HVCI): Prevents malicious kernel-mode drivers from loading.
  • Attack Surface Reduction (ASR): Enforces rules to block common exploit techniques (requires Microsoft Defender).
  • Ransomware Protection: Enables Controlled Folder Access to protect critical directories from unauthorized changes.
  • Firewall and Protocol Hardening: Configures Windows Firewall rules and disables legacy protocols like SMBv1, LLMNR, and NetBIOS.
  • Tamper Protection: Prevents unauthorized changes to Windows Defender settings.
  • UAC Hardening: Enhances User Account Control for stricter elevation prompts.

Requirements

  • Windows 10/11 with PowerShell 5.1 or higher.
  • Administrator Privileges: Script automatically prompts for administrator privileges if not already running as administrator.
  • Windows Defender Enabled and up-to-date.
  • Sysinternals RootkitRevealer (optional for rootkit detection)

Note: Certain advanced malware types, such as polymorphic viruses or boot sector threats, may require additional specialized tools for complete removal.

Setup

  1. Download the Script: Save the Obliviscan.ps1 file to a directory on your Windows machine.
  2. BitLocker Preparation: Ensure you have your BitLocker recovery key handy, as the script will prompt for it to unlock any encrypted volumes.
  3. Download RootkitRevealer:
    • Visit the Sysinternals website to download RootkitRevealer.
    • Place RootkitRevealer.exe in a folder, e.g., C:\Tools\RootkitRevealer\.
  4. Edit the Script: Update the path to RootkitRevealer in the script:
    $rootkitRevealerPath = "C:\Tools\RootkitRevealer\RootkitRevealer.exe"

Usage

  1. Run PowerShell as Administrator (Optional):
    • The script automatically checks and prompts for administrator privileges if not initially run with them.
    • Open PowerShell, navigate to the directory containing Obliviscan.ps1.
    • Set Execution Policy to allow the script to run (if not already set):
      Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
  2. Execute the Script:
    .\Obliviscan.ps1
  3. Administrator Privileges: The script automatically checks for administrator privileges and re-launches with elevated permissions if necessary.
  4. Advanced Security Features: Certain features, such as Credential Guard, Memory Integrity, and Attack Surface Reduction, require a system reboot or hardware support (e.g., Secure Boot and virtualization).
  5. Compatibility Note: Some advanced mitigations (e.g., SMBv1 disable, Memory Integrity) may cause compatibility issues with older applications or devices. Review system requirements before execution.
  • If the script detects that it is not running with administrator privileges, it will prompt for elevation automatically.

Detailed Functionality

  1. Administrator Privilege Check
    • The script verifies if it is running as administrator. If not, it restarts itself with elevated permissions to ensure it has full access to system-level functions.
  2. Quick Malware Detection and Removal
    • Uses Windows Defender to perform quick scans on essential directories (C:\Windows, C:\Users, C:\Program Files).
    • Scans for a wide range of malware types and removes detected threats automatically.
  3. BitLocker Volume Unlocking
    • Detects locked BitLocker-encrypted volumes and prompts for the recovery key to unlock them for scanning.
    • Ensures full disk access, even for encrypted drives.
  4. System Cleanup
    • Removes unnecessary files from:
      • C:\Windows\Temp
      • C:\Users\<User>\AppData\Local\Temp
      • C:\Windows\SoftwareDistribution (Windows Update Cache)
    • Uses retry logic to handle files in use by other processes.
  5. Security Hardening
    • Windows Firewall: Ensures the firewall is enabled across all network profiles.
    • Secure Boot Check: Detects if Secure Boot is enabled and recommends enabling it if not.
    • Exploit Protection: Enables various exploit protections (DEP, SEHOP, ASLR) to harden system defenses.

Notes and Considerations

  • Administrative Privileges: Required for the script’s full functionality, including malware removal and system-hardening tasks.
  • Advanced Malware: For highly advanced threats (e.g., polymorphic viruses, rootkits), consider pairing this tool with additional specialized software.
  • Resource Usage: The script runs multiple intensive tasks, so it’s recommended to execute it during off-hours to avoid interruptions.

Resources