Responding to Incidents and spotting Malware with Mandiant Red Curtain

To setup or run Mandiant Red Curtain Microsoft .NET Framework 2.0 needs to be installed. You can check whether it is already present in Control Panel where you add, remove or view installed programs. If it missing you can download it from Microsoft for free.

Mandiant Red Curtain 1.0 needs approximately 4 MB of disk space only.

The installation is easy and starts with the welcome screen, followed by EULA. On the next screen you can change the install path as well as switching the installation from including everyone to just me if you want. In the window after the pre-installation summary click Close when the installation is complete.

The MRC GUI obeys the KIS (Keep It Simple) paradigm, and lets you navigate to a file or folder you want to scan for malware. Its result window, exemplified in the second image below, contains an overview of Mandiant Red Curtain results along pertinent details such as anomalies found in the details screen.

I suggest sorting the view with descending threat score.

Based on common entry points of malware as well as footprints including, but not limited, to obfuscation, encryption and compression Mandiant Red Curtain calculates a threat score for files and folder it analyzes. The higher the threat score the higher the probability that a certain file or executable is malware.

Reported suspicious files must be further examined and analyzed though, but this a common a situation for people trained in incident response, and, in fact, the nature of the game and not a deficit of the software.

Thus, MRC can be a free helpful tool, and the software ships with an agent for data collection without the need for the full install of Mandiant Red Curtain on a remote machine.

It took Mandiant Red Curtain approximately twice as much time to scan my C drive than it takes my anti-virus scanner, but MRC displayed a number of high score items along with their anomaly that my antivirus/antimalware software never reported.

The concise help file explains the inner workings of Mandiant Red Curtain and is definitively worth reading. When I sent the vendor an email requesting further information regarding system requirements they did not respond within 5 business days.

Mandiant Red Curtain 1.0 is completely free.