Free programs to help decide if an app is suspicious without running it

Task: you want to decide if a given program is suspicious without running it. I assume that you already know about antivirus and anti-malware scanners, so those won't be covered here.

These free programs report various characteristics of an executable. Some report about entropy (helpful to decide if a program is likely packed or not). Some report about structural anomalies. Some report about digital signatures.
1. pescanner - console program; requires Python and dependencies to be installed; can process all files in a given folder
2. PeSweep - console program
3. Mandiant Red Curtain - GUI program; doesn't process 64-bit programs
4. ExeScan - console program; requires Python and dependencies to be installed
5. Malware Analyzer - console program
6. Portable Executable Scanner - console program
7. Sigcheck - console program; reports about digital signatures

I've tried all of the above programs. I plan to use pescanner and Sigcheck in a batch file that processes all files in my Downloads folder and logs the results to text files.

Also see thread Malware and entropy.

 

You can also use programs such as PEiD that use signatures to identify packers. Some of the programs mentioned in the first post, such as pescanner, can use a PEiD signature database (userdb.txt) if available. A large PEiD signature database is located at hxxp://abysssec.com/AbyssDB/Database.TXT; rename it to userdb.txt. Other packer identifiers and signatures can be found here.

There are a number of programs - such as PE-Probe - that are described in academic papers but apparently are not publicly available.

 

Thanks.

 

You're welcome .

It's too bad PE-Probe (hxxp://nexginrc.org/nexginrcAdmin/PublicationsFiles/vb09-zubair.pdf) isn't publicly available, because the results are IMHO great. They first use an algorithm to classify a given executable as packed or not packed, and then use algorithms to classify the executable as malicious or benign. For those executables classified as packed, the malware detection rate is 99.6%, with a false positive rate for non-malware of 0.3%. For those programs classified as not packed, the malware detection rate is 99.4%, with a false positive rate for non-malware of 0.8%. The population used in this study is ~500,000 malware and several thousand benign programs.

 

PEiD also can perform entropy analysis, and can tell you if a file is likely packed. A PEiD plugin called PackingStone also tells you if a file is likely packed.

 

From Who needs sophisticated malware?:

 

Packed Driver Detector

Threads here about Packed Driver Detector:
https://www.wilderssecurity.com/showthread.php?t=266821
https://www.wilderssecurity.com/showthread.php?t=220946

 

Windows Portable Executable (PE) Viewer lists anomalies of an executable - use menu View->Packaging. It also has other features, such as entropy calculations.

 

http://www.netscty.com/Services/Sandbox

 

Looks like another update for the list, maybe tomorrow unless ako wants to do it.

 

From http://www.winitor.com/:

The Evidence tab lists anomalies found within an executable. The same tab also shows what types of functionality, such as Hooking, Registry, and Wininet, might be used by an executable. See the image in the review at http://download.cnet.com/PeStudio/3000-2094_4-75248467.html for a list of anomalies that are checked.