please wait
 
close window
top menu - tab edge
Home      members Customer Portal     corporate Corporate     partners Partners
Partners
Testimonials
Reseller Application
Map and Directions
G-FLASH Mobile Malware Investigation

Frequently Asked Questions

  1. What do I get with Gargoyle?
  2. What is Malware?
  3. Should I be concerned about Malware?
  4. Can Malware be detected with 100% certainty?
  5. Why can’t I just look for installed programs under C:\Program Files or in the Control Panel?
  6. What types of Malware can Gargoyle detect?
  7. How often are Gargoyle datasets updated?
  8. How do I renew my product?
  9. How do I get updates after I buy the software?
  10. Do you offer training on malware detection and investigation?
  11. I just ran a Gargoyle scan on a system and it reported that it found many malware applications. Should I be concerned?
  12. How does Gargoyle find malicious software?
  13. Can Gargoyle scan forensic drive images?
  14. How does Gargoyle differ from an Antivirus tool like Symantec or McAfee?
  15. How do I get updates to the malware datasets?
  16. What kind of reporting does Gargoyle provide?
  17. Does Gargoyle scan archived files?
  18. If I want to investigate a machine across my network, can Gargoyle help me?
  19. What is the Create Gargoyle Hash File.EnScript in my install directory?
What do I get with Gargoyle?
There are two deliverables for the Gargoyle Investigator™product line. You can either purchase an Electronic Software Download (ESD) version to be used on a single machine or you can purchase a token based product that will enable scanning on multiple systems or in field use.

What is Malware?
Malware, short for malicious software, is designed to wreak havoc, hide potentially incriminating information, and disrupt or damage computer systems.

Should I be concerned about Malware?
Yes, various types of malware exist on home and corporate computers. Many have legitimate uses, while others have a very specialized use. Is there a reason why a suspected terrorist has steganographic applications on his system? Why does your secretary have a password cracker on her workstation? Should a high school lab system have a virus building toolkit on it?

Can Malware be detected with 100% certainty?
Yes and No. Gargoyle can be used to detect the presence of files installed by a particular malicious application. If the files are detected by Gargoyle, then the files installed are from one or more malware applications. However, it is possible these detected files may also be installed by other legitimate applications. These detections are called false positives. Each Gargoyle dataset is scanned against various test systems and the NIST NSRL to minimize potential false positives before it is released.

Why can’t I just look for installed programs under C:\Program Files or in the Control Panel?
You can. But if someone is trying to hide the existence of an application on their computer, they will try to hide the application by renaming it, installing it into an unlikely directory, or moving the files. Many malware applications do not have an installer, so they will not appear in the Control Panel and can be simply extracted into any directory. Gargoyle will conduct a search of the files that constitute the malicious program. The location and name of the files are not relevant.

What types of Malware can Gargoyle detect?
Gargoyle can detect over 20 different types of malware. Gargoyle is currently distributed with the following datasets: Encryption, Key Logging, Piracy, Virus Creation Toolkits, Scareware, Wireless Network Exploits, Trojan Horses, Root Kit Use, Password Cracking, Denial of Service (DoS) attacks, Spyware, Botnets, Mobile Malware, Anti-forensic, Credit Card Fraud tools, P2P, Exploits Scanners and Remote Access programs.

How often are Gargoyle datasets updated?
Gargoyle datasets are continually being updated. A minimum of 12 releases per year are guaranteed to those who have an active dataset subscription.

How do I renew my product?
There are two ways you can renew your product. 1) Yearly maintenance which includes product version upgrades and technical support; and 2) Subscribing to the Dataset Subscription which will provide a minimum of 12 dataset updates per year. For pricing and additional information, please contact your Account Representative.

How do I get updates after I buy the software?
Each Gargoyle customer will need to activate his/her copy by logging into the customer support portal located on our homepage.  Each customer is provided a unique login account that makes downloading the newest version of the datasets quick and easy.  To update the datasets, simply navigate to the HELP menu select UPDATE DATASETS. 

Do you offer training on malware detection and investigation?
Yes, WetStone offers a two day, hands-on training course that provides in-depth training on the process of investigating malicious software as it pertains to the hacking process. For more details, please contact sales@wetstonetech.com.

I just ran a Gargoyle scan on a system and it reported that it found many malware applications. Should I be concerned?
The exact answer depends on the the number of files found per program, the types of files found, the programs detected, the category of the program, and the location where the files were found.  First, verify the list of loaded datasets. Did Gargoyle detect a program that could be installed? For example, it is highly likely a Anti-Forensics tool or encryption program is installed on your system without you knowingly installing it as part of a standard application. Second, were a large number or percentage of files found for an application? A high number of found files for a particular program would indicate a higher likelihood of the program installation. However, a larger percentage associated with a product with only a few files may not lead to the same conclusion. Third, where were the files found on the system? Are they in an obviously named directory, in the System directory, or buried in an obscure directory?  The location of the file may provide more details about the use of the file. Fourth, the possibility of false positive detections must be examined. What types of files were found? Although every effort is taken to ensure that the Gargoyle Datasets are up-to-date and accurate; false positive detections may occur since users may have software installed that we have not tested. This usually occurs with simple, small, common files such as icon, image or installation files. However, if you find any known false positive detections with Gargoyle, please report these occurrences to our support staff so that they can update and ensure the accuracy of all Gargoyle Datasets.

How does Gargoyle find malicious software?
Gargoyle detects malicious software by first using a Fibonacci hash pre-filter and then verifying any hits using a full MD5 hash.

Can Gargoyle scan forensic drive images?
Yes, Gargoyle has the capability to mount and scan DD/RAW, SMART, ISO, and SafeBack images.

How does Gargoyle differ from an Antivirus tool like Symantec or McAfee?
Most antivirus companies are primarily looking for Virus and Trojan Horse signatures; however, Gargoyle scans a broader range of malware including Botnets, Anti-Forensic tools, Denial of Service applications, Wired and Wireless Surveillance programs, Rootkits, P2P clients, mobile malware, Key Loggers and more.

How do I get updates to the malware datasets?
Each customer will be given a unique login account for the WetStone Customer Support Portal located on the WetStone Technologies website that makes downloading the newest version of the datasets quick and easy. Customers will use the portal to download and update the .cab file which can be used by Gargoyle to automatically apply updates.  

What kind of reporting does Gargoyle provide?
As with most forensic tools, reporting is a key issue. Gargoyle Investigator provides an extensive configurable XML Evidence Report.

Does Gargoyle scan archived files?
Gargoyle does support archived file scanning including .zip, .rar, .jar, .bh, .arj, .lha, lzh, .tar, .war, .enc and .bz2 files.

If I want to investigate a machine across my network, can Gargoyle help me?
Both G-PRO and G-FLASH versions allows for a single scan of a machine over the network provided you have administrative credentials. The Gargoyle Enterprise Module (GEM) allows you to scan an unlimited number of machines concurrently.

What is the Create Gargoyle Hash File.EnScript in my install directory?
This EnScript allows investigators to be interoperable with Guidance Software's EnCase®. Move this file into your EnCase® enscript directory and you will have the ability to conduct Gargoyle hashing from within EnCase. After running the script, import the .xml file generated by EnCase® from the hash tab within Gargoyle.
Overview
FAQ
Testimonials
Screen Shots

Awards

Download Gargoyle Flash Datasheet