How to trace the actions performed by a virus?

I strongly recommend to run that virus in an artificial environment like a sandbox so you won't affect your personal computer! In this way you can track its activity through the sandbox specific CLI/GUI.

Sandbox Example: Cuckoo Sandbox, Sandboxie, etc.

The other way around:

Use an virtual environment to test the malware and to manually track its activity.


After the facts? Very unlikely unless you have full egress logging and remote audit files of the system that was compromised and even then it's not 100% reliable.

If you want to know what a Virus does there's always malware analyzers like Cuckoo.


Not clear if you are planning for how to do this in case you have a virus or have already had a virus and you want to do incident response, or if you have a virus in mind and want to watch it do its work.

You have some freely available tools to do this but if you aren't proficient in these tools, you will fail. So, the real answer is "get proficient with these tools BEFORE you attempt to use them to do incident response". By 'proficient' I mean that you can quickly filter out what is "normal" so you can spot the abnormal. Trying this can be a way to get proficient with these tools, but don't expect to be successful while you are learning.
If the virus has admin privileges, it can cause these tools to not be reliable.
The tools I am thinking of are...

  1. Windows Event Logs: This is the first stop in forensic reconstruction of what happened. I don't mean "forensically sound" as in "usable as evidence". This paper in the Sans Reading Room details some ways to use the Windows Event Logs including misspellings of common executables and processes running from a non-standard path.
  2. Netstat: If the communication is ongoing, Netstat can identify the process that is communicating with malicious hosts.
  3. Process Monitor: See what actions the above process is performing. This won't be useful if you are trying to learn things after the fact.
  4. Wireshark: analyze the packet-level communication of this virus. What is contained in those TCP packets? What techniques is it using to bypass security controls and avoid detection? A good inspiration for using Wireshark this way comes from this excellent presentation at a Wireshark conference. Yes, it is more than 1 hour long, but it is worth it.

There are many more tools for malware analysis that I have no knowledge of.