File integrity question

Discussion in 'privacy problems' started by bluekey23, Jul 15, 2004.

Thread Status:
Not open for further replies.
  1. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Hello privacy experts,
    I hope this is the right place to post this question(correct me if wrong).
    I am looking for a way to check if a downloaded file or app has been altered or tampered with. I think there are ways or programs to do this, but am not sure. How can you be sure?
    Thanks
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    If you know the MD5 checksum of the authentic file, you can use programs like hkSFV to verify the MD5 of your copy.

    Nick
     
  3. FanJ

    FanJ Guest

    Hi,

    Yes, there are ways to do this, by means of a so-called checksum (usually the MD5 checksum of that file).
    The site from which you download a file has to publish the checksum of that file, and you yourself have to have a program with which you can calculate its checksum.
    If those checksums are exactly the same, the files are the same.

    The whole process is very easily and doesn't take much time.
    But, as I said, that site from which you downloaded that file, has to give its checksum and tell which HASH algorithm has been used (of course you have to use the same algorithm).

    CryptoSuite from DiamondCS is a very nice tool to calculate such a checksum (it's not free).
    You might also have a look for example here:
    http://lists.gpick.com/pages/Checksum_Tools.htm
     
  4. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    Nick and Fan,
    Thanks for the info and helpful links. Am dl'ing one of the apps now to test.
     
  5. FanJ

    FanJ Guest

    Hi,

    A little side-note:

    The situation is completely different in case you want to check whether a file (doesn't matter what kind of file) once downloaded/installed in the past has been changed on your system.
    In such a case you have to use a so-called file-integrity-checker.
    There are several of them available, some free, some not free, some not any longer maintained.
    What they all do is : building a database of files (it depends on the program you use what kind of files) with their checksums.
    Once such a file is added with its checksum in that database, you can run that file-integrity-checker any time you like, to check whether files (included in its database) are changed.
    To name only a few apps that can do this for you:
    - ADinf32 from the same company that makes the AV DR.Web.
    - Inspector in KAV Personal Pro.
    - FileChecker from Javacool.
    - NISFileCheck (no longer maintained; see the archive forum here at the bottom of the Wilders-board).
     
  6. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
  7. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Of course this hash checking is only possible if the source files comes with a hash!

    Another option is code signing. Use a certificate to digitally sign a file. Like Microsoft does for it's ActiveX components.
     
  8. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    600 posts [shadow=yellow]congratulations meneer[/shadow]
    i think ill start a new thread at some point.ive never used PGP or checksums,beacause this computer has nothing on it.its just for practicing,but its something ill start to learn.two different things arent they,i shouldnt of hijacked the thread!
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Hi FanJ. I was delighted to find this thread about File Integrity Checkers, wherein you are participating.

    I have used AdInf for quite a long time. I recently visited their website & noted that they have done a minor version update. I downloaded & installed it over my old version. Then it wouldn't accept my registration number, even though the upgrade was only a minor one {a *dot*-upgrade}. I checked my license & discovered that registration is limited to upgrades for a time-limited period of only 1 year. Thus, even minor upgrades after 1 year require an additional fee.

    I tried to reinstall my old version, but the new version seems to have locked out my old registration number altogether. I am no longer a fan of AdInf. :(

    After an extensive search I came across a free File Integrity Checker named Fingerprint. I have used it for several days & like it a lot. It only does MD5, & doesn't have as much bells & whistles as AdInf, but I actually like the added control of having to directly manage a bit more of the checking.

    2 Requests

    #1- I would really appreciate your opinion as to the adequacy of Fingerprint for an *average* user like me. {By "average I mean that I don't do P to P, file swapping, porn sites, email attachments, blackhat sites, and so forth.}

    #2- Will a File Integrity Checker help me to spot when something like a DLL injection has taken place? {I realize a File Integrity Checker won't *stop* an injection; but could it possibly help me discover that something nasty might be in the works?}

    grace & peace to all.... bellgamin
     
  10. FanJ

    FanJ Guest

    Hi bellgamin !

    Apologies for not replying earlier !
    I was the weekend off, had "some" things to do today, and have to admit that I'm too tired at the moment.

    A few quick thoughts though:

    Yes, I too had the same experience as you regarding the newer version of ADinf32; I too didn't know about the necessity to buy a new licence....
    Technodrome and me talked about it in this thread:
    https://www.wilderssecurity.com/showthread.php?t=33338

    I myself decided finally to buy a new licence.
    I still am not sure whether that was a wise decision, strictly personal spoken.

    Do you perhaps have a backup image of your system?
    If yes, you might think about to restore it and stay with your older version of ADinf32, but that is of course your decision.
    You might also think about to email the folks at ADinf; but I myself have mixed experiences with their support, having received:
    1- a reply that helped;
    2- no reply at all;
    3- an email in Russian which I cannot understand o_O


    About "Fingerprint":

    At the moment I am not sure whether I tried it in the past or not, I can't remember whether I did... :oops:


    About "DLL injection":

    This is the most difficult question.
    If you are using Windows XP (or something similar NT-based): I would advice to have a look at Process Guard from DiamondCS (PG is not free). I myself still run W 98 SE, so I cannot use it.
    Somehow I seem to remember that you are using Windows ME, so you too cannot use it (but maybe I am making a mistake here, meaning you're using a different OS).

    Now to your question:
    "Will a File Integrity Checker help me to spot when something like a DLL injection has taken place? {I realize a File Integrity Checker won't *stop* an injection; but could it possibly help me discover that something nasty might be in the works?}".

    I am afraid that I don't know the real and final answer..... :oops:
    It might depend....
    Is that nasty leaving any "trace" (when you run your file-integrity-checker) like: a file has been changed, deleted, added: the answer is "yes".
    Does that nasty delete all its traces after having done its "work": the answer might be "no".
    But in that latter case a layered security might do its job:
    Did your firewall give an alert? Your other security programs like for example resident AV/AT?
    And also comes the question to mind: how in the first place could that nasty do its job? Did you go to a "nasty" site with ActiveX enabled? Did you allowed an (un-)known program (not scanned with AV/AT/anti-spyware before running it) to run? Did you not protect yourself enough against email-nasties? Do you use a program that allowes you to make full backup images of your whole system, and do you use that program frequently? Do you use also a registry-integrity-checker like for example RegRun Gold (not free)? Just some thoughts...


    Dear bellgamin,
    I am well aware that I did not answer all your questions, on the contrary; and I really do apologize for not having done so!!!

    I will also ask Joseph and Technodrome if they have the time to look at your questions.

    Warm regards, Jan.
     
  11. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Do you find that the updated version has *significant advantages* in comparison with the previous version?

    Yah, I discovered an old Iomega Zip disk that contains a copy of my original download of AdInf. I am considering alternatives of {1) reinstalling the old version, VERSUS {2} continuing to use FingerPrint, which I like very much.

    By the way -- FingerPrint uses MD-5. As I understand it, MD-5 does have some collisions, right? In other words, it isn't as strong as AdInf's checksum algorithms, right? Ergo, I would appreciate your comments as to whether you consider that MD-5 is {or is not} *strong enough* for an average user like me.

    Jan, your memory is excellent! I still use WinME.

    Thank you. I found your comments very helpful indeed.

    live long & prosper....... bellgamin
     
  12. FanJ

    FanJ Guest

    Hi bellgamin,

    I have to admit that I don't know the answer....
    As for myself: I didn't have any issue with the previous version, and I did't see much (if any...) changes. But I also have to admit that until now I didn't take much time to look at every aspect of it; part of the reason is that my backup HD crashed (has nothing to do with ADinf32) and I had other things...

    As for the changes:
    As Technodrome posted here:
    https://www.wilderssecurity.com/showthread.php?t=33335

    Quote:

    Version 3.02 dated 12.05.2004.

    Improvements:
    1. Folders System Volume Information (System & Hidden) and C:\WINDOWS\Prefetch are excluded on NTFS drives.
    2. Folder PCHealth is marked as "Hide changes" by default.
    3. Mask "*.log" is added to default excluded files list.
    4. File "hiberfil.sys" with attributes Hidden and System is added to excluded files list.

    Fixed defects:
    5. Fixed "Drive scan error" defect.
    6. Fixed null memory reference defect.
    7. Fixed defect preventing ADinf32 from working on NTFS drives with big clusters.

    http://www.adinf.com
    - end quote -


    Of course I cannot take your decision, but you might well invest in a decent backup-imaging program, like for example Acronis TrueImage (see dedicated forum-section here at Wilders), or any other you feel comfortable with.
    Maybe that would be in your case a better investment than to spend your money in the newer version of ADinf32. In that case you might need a dedicated partition for it, and/or a CD/DVD-burner and/or a second harddrive.


    As for your question about the HASH algorithm like MD5:
    All I can say:
    Don't be too concerned about it ! Please !
    MD5 is stronger than the hashes used by ADinf32, maybe even if you use the Pro version like I do (that being said: the Pro version of ADinf32 uses an algorithm that is not so much used).
    Yes, MD5 has been "cracked".
    But other algorithms have also been cracked....
    As far as I know, NISFileCheck uses the strongest HASH algorithms for the purpose you (and I) want to use it: you have the choice between SHA1, RIPEMD160, HAVAL.
    But once again: please don't be too concerned at the moment about the strenght of the algorithm you use for your file-inetegrity-checker: the fact that you use one, gives you already another great layer in your security setup.
    If you really wants one of the bests:
    Use both ADinf32 Pro, NISFileCheck; and (if on XP or something alike) Process Guard and a sandbox like in TinyTrojanTrap (now in the Tiny firewall).

    I hope this helps a little bit...
    Warm regards, Jan.
     
  13. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Hoo-boy! Back in the days when I used NISFileCheck, I didn't know one checksum algorithm from another. Then, when I began using AdInf, I dumped NISFileCheck from my system. But now I realize that NISFileCheck was waaaay ahead of its time. I finally found the download site & reinstalled it.

    NISFileCheck is superb! It's too bad that more people don't know about it any more. I shall certainly alert the visitors to my websites that every blessed one of them should install & use NISFileCheck.

    I note that {by default} NISFileCheck is set up to monitor the following extensions: EXE, DLL, VXD, OCX, SYS and BAT. Are there any other extensions that should be monitored?
     
  14. FanJ

    FanJ Guest


    Thanks bellgamin for posting that !!! :D :) :D

    I agree with you: it IS a GREAT tool !!!
    I'm sure that Joseph and Albjan will be very glad to read that too !

    OK, let's first ask the admins if we are allowed to go on here in this thread about NISFileCheck, or if they would like something else.

    Cheers, Jan.
     
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Well... the title of the thread IS "File Integrity" right? But I agree -- our emphasis on NISFileCheck is skating a bit close to the brink of going off-thread. Also, I note my inability to detect a really suitable Wilder's forum category for discussing file integrity checkers. Other AntiTrojans? Other Anti-Virus? Hmm -- I wonder. LowWaterMark, wherefore art thou? :doubt:
     
  16. FanJ

    FanJ Guest

    Oops, it is MY fault; sorry !
    I started talking about NISFileCheck in this thread, and I completely forgot to ask one of the mods/admins if it was OK to go on. Sorry !
     
  17. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Well, this isn't actually a big deal because bluekey23 did get their answer right at the start of the thread. It was after that where the topic adjusted slightly. ;)

    Further, anyone coming along and asking about checksum verification and/or file integrity checkers can get a lot of information here.
     
  18. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Thanks LWM.

    Thanks to what I have slowly learned from the likes of FanJ & Joseph V. Morris, I have gradually come to believe that using a good File Integrity Checker is of near-equal importance with using AV & AT & Firewall programs. In fact, a File Integrity Checker offers high potential to detect that occasional bit of malware that might slip through the defenses provided by the *big 3* {AT/AV/FW}.

    My education on this vital topic began right here at Wilders, quite some time ago. That was back when Wilders carried a Forum on NISFileCheck, & I downloaded & used that wonderful program for quite some time. Now you folks have seen fit to retire that Forum to the archives, & I'm sure you have good reasons. Nevertheless, I would like to offer a plea that you folks consider bringing it back, perhaps -- or at least adding it to Wilders list of programs at http://www.wilders.org/

    Until just a day or 2 ago, I was convinced that NISFileCheck was old-hat -- no longer state-of-the-art. Then something happened that radically changed my mind. Namely, as explained in my previous post above, I ran into a bit of a bumpy road with respect to AdInf, the integrity checker I went to when I uninstalled NISFileCheck.

    Being a tad upset with the AdInf folks, I began to search the internet for a replacement. I searched hard for several days, & learned a lot in the process. Of what I learned, two main points seem of main significance...

    Point #1- Of those who are responsible for maintaining security of servers, large networks, and so forth, File Integrity Checkers receive equal or greater emphasis than other categories of security software. Anyone wishing to witness that fact for himself/herself need merely do a Google on what is sha-1 or what is md-5 -- & then read the tons of entries by a broad spectrum of professional security experts such as RSA Security Labs.

    Point #2- For desktop use, there are file integrity programs that have a prettier GUI than NISFileCheck. There are file integrity programs that cost a lot more than NISFileCheck {which is still free!}. But -- of all the ones I tested -- not one of them had stronger checksum algorithms or worked faster or worked better than NISFileCheck. It seems that NISFileCheck is like a fine wine -- it may be old, but MAN! it sure does a delicious job.

    Thus ends my plea for you folks to take a second look, perhaps, at a truly superb program for enhancing the security of most anyone's desktop computer. Forgive me for babbling on -- I sometimes have these *senior citizen* moments nowadays. :p

    grace & peace to all... bellgamin
     
  19. FanJ

    FanJ Guest

    Thanks LowWaterMark !!! :D
    I really appreciate it, Mike !

    Thanks bellgamin !!!
    Nice posting and a great link you posted !

    OK, let me start with a few comments ;)
    Yes, the NISFileCheck-forum was archived, and I agreed with that decision.
    There were hardly any postings in that forum-section, and we have to keep in mind that the program is no longer maintained.
    The version I use is BETA 1.0.0.7

    I myself use several file integrity checkers, NISFileCheck and ADinf32 Pro among them.
    I really like to use both of them !
    NISFileCheck for its strong HASH algorithm and info about file changes.
    ADinf32 for its capability to check all files on your system.
    The CRC32-test in TDS-3 for a quick check on a few files.

    What really is important to keep in mind, is that after your file integrity checker has reported a change, it is up to you, the user, to decide whether such a change is legitimate (for example a file of your AV was updated) or not (some nasty thing has happened).

    I admit that I too was surprised that I needed to buy a new licence key for the new version of ADinf32, but I could have known that: it simply is stated at the ADinf site, as Technodrome posted.

    If I would start using NISFileCheck now from scratch, I myself would use it a bit differently than I am using it now.
    When I started using it, I made several databases for it (for example one for EXE files, one for DLL files, etc).
    I now consider that not such a good decision. It is just easier to have only one database for it with all files in it that you choose to.

    Once again I would like to point to programs which can only be used on a NT-based OS:
    (please keep in mind that I don't have experience with them; I cannot use them cause I still run W 98 SE)
    I am talking here about programs like for example Process Guard from DiamondCS.
    As I understood, with such a program you will be warned on a change on an important file before the actual change has happened.


    As bellgamin posted, there are free file integrity checkers and ones for which you have to pay, even very expensive ones (I'm talking here about some thousands of US-dollars...).


    Maybe later more (for example about your (bellgamin) question about file types to include).

    Cheers, Jan.
     
    Last edited by a moderator: Jul 20, 2004
Loading...
Thread Status:
Not open for further replies.