2016-04-12 Update: Removed link to image.

Microsoft recently released a beta version of their Attack Surface Analyzer, which compares two system snapshots and reports on the differences. Designed as a security auditing tool, it can also function nicely  for testing malware. It is a static tool unlike Digital DNA and others. I downloaded this a few days ago and was kind of waiting for someone else to review it. Although a few have mentioned it, no one seems to have run it yet. So, I broke down. Installation and execution is straight forward. After selecting a new scan and setting a path, the following dialog appears while it scans the machine.

Two main files are created during a scan: the “data” directory and a cab file. The data directory contains the XML files generated during the last scan. Each of the enumerated scans shown in the above screenshot are their own XML file; among others. This is then compressed into a cab file. The cab file follows a name convention of “Hostname_ASAVersion_Date_Time.cab”. As an example, my file was titled “RAGE_5.1.3_2011-01-23_17-26-57.cab”. The time field is GMT and not local time.

Each scan took roughly 10 minutes to complete. The data directory weighs around 134 MB and the cab file is a mere 6.9 MB. The time and sizes of each scan will depend on the a number of factors, but this should be a general idea of what to expect.

Once two scans have been completed (a “baseline” and “product” scan), a report can be generated that compares the two for differences. The report consists of three files stored in a directory named after the “product” scan. The files are the main “report.html,” a “help.html” which is a glossary of terms, and a “logo.png.” This directory is self-contained and can be transported or archived without worrying about potentially breaking links.

I did not pick the most interesting of applications, but I was itching to try out Quake Live (which, by the way, is extremely fun and works perfectly in both FF4 and Chrome). A few ACL warnings were produced for files and directories that could be tampered with. The most interesting area is the Attack Surface tab, which lists service and network information. If you read Checking ASLR by Didier Stevens, you will notice the ASLR flags under the service information section. Since it was running out of Chrome, it appears that anything Chrome related was noted with regards to network information. It’s interesting and much more involved than a utility such as RegShot. For what it’s worth, here is a sample report for the Attack Surface.


Attack Surface Analyzer is an interesting utility that does more than RegShot and has some benefits for malware testing and application validation. It will require some toying with to better understand how it may be useful to you specifically.