Announcing Hawk Eye Analysis Tool (formerly Orion Malware Cleaner)

1st Official Post
    • Official Post

    The Orion Remediation Tool is scheduled for a rebranding. Until the rebranding commences it will be known and referred to "Orion Standalone Remediation Tool" or "Orion Malware Cleaner".

    Orion Remediation Tool

    A comprehensive user guide for the standalone threat remediation script.

    Thank you for choosing Orion Malware Cleaner. It's important to understand that this is not an antivirus replacement with real-time protection. Instead, it is a powerful, on-demand threat investigation and remediation toolkit designed for knowledgeable users to hunt for and remove active and dormant threats.

    This guide will walk you through the entire process, from launching the script to understanding its findings and taking action. The tool is designed to be powerful, but its effectiveness relies on informed decisions from you, the operator.

    The Boring Stuff (EULA)

    Use at Your Own Risk. This is a powerful tool that makes significant changes to your system, including deleting files and modifying the registry. By using this tool, you acknowledge that you are doing so at your own risk. The creators are not liable for any data loss, system instability, or other damages that may result from its use. It is strongly recommended that you back up any critical data before running a scan and performing remediation.

    Quick Navigation

    Step 1: Preparation & Execution

    Before you even think about running a scan, a few preparatory steps are essential for the best results.

    Close All Applications! Before initiating a scan, save your work and close all open programs (web browsers, documents, games, etc.). This does two critical things:
    1. It prevents applications from locking files that the script may need to scan or remove.
    2. It gives the script a cleaner snapshot of your system's baseline activity, making it easier to spot anomalies.

    Running as Administrator

    The script needs deep access to the system to inspect processes, check system files, and modify the registry. It MUST be run with Administrator privileges.

    Execution Policy Bypass (Crucial!)

    Windows has a security feature called "Execution Policy" that prevents PowerShell scripts from running by default. To run Orion, you must bypass this policy for this single execution. This does not permanently change your system's security settings.

    1. Open the Start Menu and type PowerShell.
    2. Right-click on "Windows PowerShell" and select "Run as administrator".
    3. In the blue PowerShell window, first navigate to the directory where you saved the script. For example: cd C:\Users\YourUser\Desktop\Orion
    4. Now, execute the script using the bypass flag. Assuming your script is named sa.ps1, the command is:
      PowerShell.exe -ExecutionPolicy Bypass -File .\sa.ps1
    5. Press Enter. The Orion menu should now appear.

    Prerequisites & Automation

    The script's capabilities are enhanced by two external tools. The script will automatically search for them in its `modules` subfolder and in common installation paths.

    • 7-Zip: If 7-Zip is found, the script enables Quarantine mode. Instead of permanently deleting malicious files, it moves them into a password-protected zip archive. This is the safest option. Without 7-Zip, the script will fall back to permanent deletion.
    • Sysinternals Handle: This utility allows the script to identify and terminate processes that have a "lock" on a malicious file, enabling its removal. Without it, some locked files might require a system reboot to be deleted.

    Log & Quarantine Location

    All operational output, detailed text logs, and quarantine archives are stored in a dedicated folder for easy review: C:\Users\YourUsername\Documents\Orion_Logs\

    Step 2: Choosing Your Scan Level

    Orion offers three distinct scan levels, allowing you to tailor the depth and duration of the analysis to your needs. Before the menu appears, the script will quickly check the status of its Dynamic Cloud Intelligence (DCI) feeds and download updates if necessary.

    [10] Gentle Scan

    The fastest scan, designed to find live, active threats. It's a quick health check on what's currently happening on your system.

    • Scans running processes for anomalies.
    • Inspects loaded modules (DLLs).
    • Runs the live network monitor to watch for suspicious outbound connections.

    [20] Elevated Scan

    A more thorough investigation that includes everything from the Gentle scan, plus a hunt for dormant or persistent threats.

    • Scans high-risk folders (Downloads, Temp, etc.) for suspicious files.
    • Checks for common persistence mechanisms (e.g., Run Keys, Scheduled Tasks) that malware uses to restart itself.

    [30] Aggressive Scan

    The most comprehensive analysis. This is a deep-dive that uses multiple engines to inspect every corner of the system for threats, policy violations, and unwanted software.

    • Includes all previous checks.
    • Activates the Multi-Engine Static Analysis to look *inside* files for malicious characteristics.
    • Hunts for Potentially Unwanted Programs (PUPs), vulnerable drivers, and system tampering (e.g., disabled Task Manager).

    Step 3: Deconstructing the Report

    After the scan, the HTML report is your command center. Findings are grouped into categories, presented as collapsible "accordions". Understanding what each category represents is crucial for accurate remediation.

    Built-in Safety and Accuracy! Orion is designed to be both powerful and safe. It includes a Stability Control System to prevent removal of critical Microsoft files, and a Relationship Analysis Engine to intelligently reduce false positives on legitimate third-party software.

    Live Process Monitor

    This is a snapshot of all processes running on your system at the time of the scan. It is provided for informational and investigative purposes, allowing you to see which processes have network connections, if they are digitally signed, and if they have a visible window.

    Memory Anomaly Detections

    This category flags suspicious behavior happening in your computer's memory right now. These are active threats that require immediate attention.

    What you'll find here:

    LOLBin Abuse: "Living-off-the-Land Binaries" are legitimate Windows tools (like powershell.exe) being used maliciously. Orion detects this when they're launched by an unusual parent process (e.g., Word) or with suspicious command-line arguments.

    Process Masquerading: A malicious process naming itself after a critical Windows process, like svchost.exe, but running from the wrong location (e.g., a Temp folder instead of C:\Windows\System32).

    Process Injection: A legitimate process (like explorer.exe) has loaded an unsigned DLL from a suspicious, user-writable location. This is a classic malware hiding technique.

    Live Network Connections

    This accordion shows you which non-browser programs are communicating with the internet. It leverages both heuristics and Dynamic Cloud Intelligence (DCI)—a live threat feed of known malicious IPs and domains—to spot hidden C2 channels.

    What you'll find here:

    Botnet/C2 Detections: High-confidence alerts where a connection matches an entry in the DCI database or a strong heuristic, like a process connecting to an abused service (Discord CDN, Pastebin, Ngrok), a high-entropy domain (suggesting DGA malware), or directly to an IP address without resolving a domain name.

    Connection Info: Informational entries showing normal background activity. Review them for context, but they usually don't require action.

    Suspicious Files & Scripts

    This section is about potentially malicious files lying dormant on your hard drive. These might be droppers, payloads, or malicious scripts waiting to be executed.

    What you'll find here:

    Static Analysis Detections: Files flagged by looking inside them for suspicious indicators: high entropy (packed/encrypted), missing or fake version information, anti-analysis strings (like `VMWare`), suspicious imported functions, and more.

    Relationship Analysis: For files that look suspicious but have some legitimate properties, this engine provides a "Confidence" score. It checks for other signed files from the same software vendor nearby, helping to distinguish a legitimate installer component from a standalone threat.

    Suspicious Scripts/LNK/PDF: Scripts (.js, .vbs) with heavy obfuscation, shortcut files (.lnk) that point to malicious commands, and PDFs with active content keywords are flagged here.

    Dual-Use & Remote Access Tools

    This category lists legitimate software that, while useful for IT professionals, is the primary tool used by attackers and tech support scammers to gain control of a victim's computer.

    What you'll find here:

    Programs like AnyDesk, TeamViewer, LogMeIn, etc. If you did not explicitly ask a known, trusted IT contact to install this, it should be removed immediately.

    Suspicious Persistence Mechanisms

    Persistence is how malware survives a reboot. This category is one of the most critical, as it finds the hooks that malware embeds into the system to ensure it runs again every time you start your computer.

    What you'll find here:

    The script checks all the common hiding spots: Registry Run Keys, Scheduled Tasks, Windows Services, Startup Folders, and more. Finding an unsigned or strangely located program here confirms that the machine is compromised.

    Abused / Vulnerable Driver Detections

    This category flags the presence of legitimate, signed kernel drivers that are known to contain vulnerabilities. Attackers can abuse these drivers to disable security software or load their own malicious code into the kernel.

    What you'll find here:

    The script maintains a list of known-vulnerable drivers (e.g., dbk64.sys, gmer.sys). Finding one of these on your system is a high-risk indicator. Unless you have a specific, known reason for having this driver, it should be removed.

    Potentially Unwanted Programs (PUPs)

    PUPs are not viruses, but they are "junkware" that often comes bundled with other software. They can degrade performance, inject ads, and compromise your privacy.

    What you'll find here:

    Adware, browser toolbars, and "scareware" system cleaners. Generally, anything found here can be safely removed.

    System Tampering & Policy Changes

    This section detects when malware has deliberately weakened your system's security settings to make its job easier or to prevent you from fighting back.

    What you'll find here:

    Common findings include the Task Manager being disabled, Windows Defender exclusions being added for the malware's folder, or the HOSTS file being modified to block you from accessing security websites.

    CPR Toolbox (Clean, Repair, Optimize, Harden)

    This is a special category containing a suite of proactive tools for system maintenance, hardening, and optimization. These are optional actions you can take to improve your system's health and security posture.

    Clean

    Actions to remove clutter like temporary files, the Recycle Bin, and old Windows Update caches.

    Repair

    Tools to verify and repair the integrity of core system files using System File Checker (SFC) and DISM.

    Optimize

    Actions to improve performance, like running drive optimizers (Defrag/TRIM) and managing startup programs.

    Harden

    Actions to reduce your system's "attack surface" by enabling advanced Windows Defender features (PUP Protection, ASR Rules) and blocking commonly abused tools from accessing the internet.

    System Information

    An informational section at the bottom of the report that provides a detailed summary of your computer's operating system, hardware, network configuration, and a list of all installed software for your reference.

    Step 4: The Remediation Workflow

    Once you have reviewed the findings, you can instruct the script on what actions to take. This is a deliberate, two-step process to prevent accidental changes. Orion also includes several automated remediation enhancements.

    Advanced Remediation Features

    Chain Remediation: If you select a persistence item (like a Run Key), Orion automatically finds and selects the malicious file it points to for removal.

    Correlational Cleanup: After removing a file, Orion scans the same folder for related malware artifacts (like `.dat` or `.zip` files) and removes them. It will also delete the parent folder if it's left empty.

    Orphaned Shortcut Removal: Any shortcuts pointing to a file you've selected for remediation will also be automatically removed from the desktop and start menu.

    Firewall Rules: In the details modal for any network detection, you have the option to create a Windows Firewall rule to block that specific process or destination IP address from making outbound connections.

    1. Select Items for RemediationIn the HTML report, go through each category and place a checkmark next to every item you wish to remove or fix. You can use the "select all" checkbox at the top of each table.
    2. Generate the Remediation FileAfter making your selections, click the orange Generate Remediation File button at the top of the report. This will download a JSON file (e.g., Orion_Remediation_List_....json) to your computer's Downloadsfolder. Do not change the name of this file.
    3. Confirm in PowerShellGo back to the PowerShell window where the script is waiting. It will now prompt you to "Press any key after you have generated the remediation file". Press any key.
    4. Execute RemediationThe script will automatically find the JSON file, read your selections, and begin taking action. You will see its progress in the PowerShell window as it quarantines files, removes registry keys, and creates firewall rules.

    Step 5: Post-Remediation

    After the remediation actions are complete, the script will provide a final summary.

    • Summary of Actions: A list of all actions taken will be displayed in the console.
    • Quarantine Archive: If quarantine was enabled, it will tell you the path to the password-protected zip file. The password is always infected.
    • Reboot Required: If the script was unable to remove a locked file, it will schedule it for deletion on the next reboot. If you see this message, it is critical that you restart your computer to complete the cleanup.

    This concludes the manual. Stay vigilant, and happy hunting!

    • Official Post

    Following the rebranding of the tool to HEAT, Orion engine will be renamed to Helios (god of the sun). This is better connected to HEAT. Still remains somewhat similar.

    Orion seems to be a bit overused in the tech world.

    All detections prefixes will be updated accordingly.

    Quote from Negan

    Following the rebranding of the tool to HEAT, Orion engine will be renamed to Helios (god of the sun). This is better connected to HEAT. Still remains somewhat similar. Orion seems to be a bit overused in the tech world. All detections prefixes will be updated accordingly.

    Hello Negan,

    The rebranding to HEAT and the renaming of the Orion engine to Helios makes a lot of sense, especially with the thematic connection to heat and the sun. It's true that Orion has been widely used in various tech contexts, so this change could help to distinguish the tool more effectively. Updating the detection prefixes to align with this new branding will also help maintain consistency and clarity for users. Overall, it seems like a positive step forward for the tool.

  • Negan November 26, 2025 at 10:35 AM

    Changed the title of the thread from “Announcing Haw Eye Analysis Tool (formerly Orion Malware Cleaner)” to “Announcing Hawk Eye Analysis Tool (formerly Orion Malware Cleaner)”.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login