Safe Downloading

Discussion in 'other security issues & news' started by John Bull, Mar 5, 2011.

Thread Status:
Not open for further replies.
  1. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    We all download things like it was Christmas, from music, videos, programs and any damn thing we like the look of to keep, use as a program or to live with till death do us part.

    I have read some of the net suggestions on safe downloading and although it all makes good sense, it is about as practical as having a nail in your boot.

    How can we download the things we wish with confidence and convenience without embarking on some lengthy procedure ? All we need is to download the item and use it, not to spend the next month trying to decide if the site is dicey or not.

    My policy is to use common sense about a site always using SBxie, if OK by me, download the item, recover it to my desktop and either run it or store it in a folder for use.

    SBxie>Firefox>download>recover to desktop>Run or store> use.

    Once the item is on my desktop, I have an unknown object on my system. When RUN is selected for a program download we get Run>Wizard>massive download of data>Finish>use.

    All this without any protection ? Have I downloaded any number of bugs ? By then it is too late, or is it ? This is where you come in. What checks can be done to ensure that the downloaded data is safe ? No good shutting the gate when the horse has bolted

    Is my Firewall and AV active protecting me during all this desktop downloading or are they off duty ?

    I would appreciate your comments on how safe downloading can be achieved. If this subject has been thrashed out already, refer me to the links and forget all this. I apologise and thanks.

    If it all means some time consuming process of checking this or that, then I`ll adopt an intelligent Gung-Ho attitude of living dangerously and carry on downloading as I always have.

    John
     
  2. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Generally, anything I download which is or might be executable (most commonly, installer exe's) I'll scan with my a-v and with MBAM before doing anything else with it. Admittedly my a-v (avast) is supposedly checking it while downloading anyway, but a manual check afterwards is quick enough and an extra protection step.

    Same with ZIPs and the like ... I'll scan both before and after extracting.
     
  3. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    1. I check out the site with MyWot and UrlVoid

    2. Upload the file to VirusTotal and look at its rating

    3. Upload the file to CAMAs and ThreatExpert and see what it does

    4. If it gets the clear out of those 3 install and enjoy

    That is what I do for all my files I download.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Watch out for any executables, and upload them to VirusTotal and Comodo Instant Malware Analysis.

    If too large, scan with whatever you have installed.
     
  5. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    Thanks so far chums, very interesting.

    Have been looking at the WHOIS checkers, there are many of them, bit confusing for choice. A few are add-ons for Firefox. Are these any good ?
    Taking no action yet.

    John
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I consider the opening or installing of new executables to be an administrator only task. On my PCs, it can't be done in user mode. My policy with all downloaded files is as follows:
    1, If an MD5 or SHA1 hash for the file is available, I verify it.
    2, I upload the file to VirusTotal and scan it. If it's too large, I use an online PC scanner and do a custom scan of its containing folder.
    3, Depending on the size and type of file, I'll use either a virtual system or a test PC for the initial test install.
    4, The install process is recorded and monitored using Inctrl5. It reports all file and folder changes and all changes to the registry.
    5, All security apps remain on during an install, including the firewall and SSM. All prompts are read. I do not use a learning mode and use "this time only" for whatever I allow or block. I do not allow the installer to connect out. If it won't install without connecting out, the install is terminated and the system restored to its previous state.
    6, Inctrl5 is also used to monitor and record the first run of the new application. As before, all security apps stay on.

    This is probably more extreme than most will want to go thru. I don't install a lot of new software, and I don't automatically update every time a new version comes out. I update only when the application improves in regards to how I use it.
     
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    You could use URLVoid to scan the website that you've downloaded from.
     
  8. katio

    katio Guest

    data files:
    run them in a hardened environment, e.g.:
    Don't use Windows Media Player but instead the latest VLC or mpc-hc
    open PDFs in a sandbox, Google Chrome or Reader X
    Disable Active X and macros in Office
    Configure these applications in EMET, run them in sandboxie too

    executables:
    check the download/developer site on urlvoid.com
    check the executable on virustotal.com
    check md5 or sha*sum and compare it with published hash
    check if it's signed, who signed it for whom
    gpg --verify if applicable
    search for the program on wikipedia, read the comments there

    if you conclude you can fully trust the program to have full access to your system, user files and network install it on your computer.

    If you have the slightest doubt about the quality or trustworthiness do not run the executable on your computer. Instead run it in a new sandbox (preferably with dropped rights) or in a throwaway VM.
     
  9. wat0114

    wat0114 Guest

    My approach:

    1. Download file from known, safe site
    2. Install
    3. Enjoy :)

    or alternatively:

    1. Download from unknown source
    2. Scan with updated MBAM
    3. If pass scan, install
    4. Enjoy :)

    This tried and true approach has never failed me once.
     
  10. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    Nice thread here:)

    I have VTzilla in Firefox and I scan the site with it. File to be downloaded also with VTZilla. From SBIE I recover it to a specified folder and scan via MBAM/Avira.

    Before extracting a zip file I scan in WinRAR with Avira/AvastFree.
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I lean towards the method wat0114 uses, with a few differences.

    I also trust things from places like MajorGeeks. However, only the true "free" ones do I trust enough to install without thinking. Generally if there is something included, like a toolbar, it is installed in a sandbox first to make sure the toolbar can be opted out of.

    But that being said, very often I treat even trusted site content in the same manner as un-trusted content, meaning I start it in a sandbox.

    Personally I don't use an AV or scanner of any sort. I execute un-trusted items in a sandbox and if I am nervous, I use something like ProcessExplorer or ProcessMonitor, or perhaps other tools, to examine exactly what is happening. I might use InstallRite to see exactly what does. The point is, for me, I can usually tell if something is going to happen within the sandbox and it stops there. While an AV or the excellent MBAM can be of good assistance, I don't use them except as an absolute last resort.

    The reason one asks? Quite simple really, and I have an excellent example. Just yesterday I attended a LAN party that my boy wanted to go to. Many of the kids there had AVs on, and what slow machines they were. Granted these are not tweaking geeks, but they were saavy enough for teenagers. Yet, thier machines were brutally sluggish. So much that it reinforced, for me, why I don't like that stuff any more. Not only do you have to trust that an AV is updated enough to actually find a 'new' threat, but you many times have to bear with the extra resources involved.

    Now before there are a slurry of replies, it is not that way with every AV nor with every machine. It is just a typical example of what CAN happen with those types of tools running.

    Having a trusted source to download things from, even executables, can go a long way to staying problem free. Untrusted sources are, to me, where one needs to tread lightly.

    Sul.
     
  12. wat0114

    wat0114 Guest

    It's only the free on-demand MBAM I use. There's no real-time av on any of the computers in this household :)
     
  13. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  14. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    For programs/executable, I base it on reputation and the level of trust I place in the developer/publisher, the blogger of the article from where I got to know of it, the mirror/distribution sites (e.g. Soureforge, Softpedia, FileHippo), rating and user/editor comments/reviews on these mirror/distribution sites, and the general consensus/judgment/perception of the downloading community overall on the program that can be found by searching the web (e.g. forum boards, comments below articles, etc). I do lots of reading and finding out as much as I can before I download something I'm not familiar with. As you can see, I place a high importance in determining that there are other folks using the software without problems or risks of infection...

    If everything seems fine and I presume the program/executable to be clean with no qualms in trusting it, then I'll download and most of the times execute it without doing any scan or integrity check. Some may put it off as silly or irresponsible behavior but this has never backfired on me once. Or at least that's what I think:p

    When I'm in doubt though, I'll go by my instincts and guts. If I can't place a minimum 50% level of trust on the file, I'll not download it. If I can, I'll proceed with a VirusTotal check (most of the time) or ThreatExpert or CIMA to get a feel of the % risk I'm taking. No doubts this won't be perfect or 100% accurate but this is closest as I can get without running the file at all and doesn't require further manual analysis on my part.

    My policy is simple - I either trust it (and run it) or I don't. If I don't and I'm still eager to run it, I'll gamble with it. Sometimes, I have either Sandboxie or a HIPS installed and I'll make use of them if my curiosity outweighs my common sense at that period of time, crossing my fingers hoping that nothing escapes. Simply said, I don't have as strict a practice some guys here abide by but this is good enough for me.

    As for data files, aside from a tiny bit of hardening as katio mentioned, I don't worry too much over them...I simply download from places I am comfortable with.

    P.S. I am actually more concerned with execution of things that I don't seek for....
     
  15. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    vm :D test and decide
     
  16. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    I am impressed with the replies, they are all very user protective comments and well worth any reader taking notice of. I have often got more sound advice from Wilder's than surfing the net at random and this is no exception.

    The members here are so responsive and in many cases provide an advanced user guide second to none.

    I will investigate :- URLVOID, VirusTotal, ThreatExpert , VTzilla/Firefox, they look very promising and your recommendations are good enough for me.

    Question :-
    Does anybody know on what basis these programs make a decision ? Do they have a malware data base or do they rely on users ratings and comments ?
    I am totally interested in the technical aspect of site ratings and not at all interested in ratings based on moralistic grounds.

    Computer infections are nothing to do with human moral views. WOT for instance is highly dependent on users moral views and is utterly worthless as a malware guide.

    Obviously I am very aware of booby traps and so far have not been caught, but I do look at that downloaded icon on my desktop that I released with gay abandon from SBxie and think of it as an IED waiting for me to click it.

    Thank you
    John
     
    Last edited: Mar 7, 2011
  17. redgrum

    redgrum Registered Member

    Joined:
    Nov 16, 2010
    Posts:
    50
    Why not just install/execute unknown files inside sandboxie and see what occurs?

    Data files, just put them into folders with no exec privileges and disable scripting from excel, pdfs, word etc
     
  18. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    Tested VTZilla earlier with a couple of porn sites that were red/orange with WOT and was surprised that some sites that were clean via VT (VT URL scanners are less than URLVoid's) was either suspicious or dangerous in URLVoid.com(though still in Beta). Best way is to really be carefull about the sites you visit as stated earlier "safe sites". Sandboxing is really needed for me. Light AV would not hurt.

    @Sully/safeguy/Dermot7,

    Nice read there:)
     

    Attached Files:

    Last edited: Mar 7, 2011
  19. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    VTzilla
    =====
    Well I guess Constantine in his previous post has said it all, backed up by some pretty pictures.

    I did PM him saying that I had visited all kinds of grot sites on Google Search, RT clicked them and got either CLEAN or that they had not been reviewed by a VT member yet. One thing I don`t want is a Review by a VT member - I can do my own review. What I need is a virus/malware risk check, not somebodies opinion.

    For me, that is useless and pending any replies that may throw some sensible light upon it, I will dump VTzilla.
    I got more sensible results using URLVoid.

    Like I said before, with any program that purports to identify sites that pose an inflectional threat, they MUST be based on virus/malware issues and NOT include any moral judgement that is aimed at protecting the Veteran Ladies Bible Class, little Freddie from seeing naughty pictures on his PC or appeasing our Civil Rights enthusiasts.

    My entire interest is 100% dedicated to preventing infectious material from entering my computer system, either by site visit or particularly in downloading as per this thread. Not to adopt the role of Snow White attempting to cleanse the world of all it`s sins. That is why I enjoy the technical emphasis here at Wilder's.

    Time and again I find that these site marking programs rely almost totally on members comments and not a library of known threats. Ludicrous and a total departure from the central issue. It amounts to no more than gossip.

    John
     
  20. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    This is with Sandboxie right...very interesting. Mind sharing examples how you do it...? Maybe if possible with images..very interested. Might learn more. It will be a lot of help and good insights for members here.:)
     
  21. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, within SBIE.

    Examples.

    I stumble upon a new word processing program. I have not seen it before. I find it at some review site, head over to the vendor site, download the app. The download is done within Chromium, which is started at Low Integrity Level, and within a Sandbox that is devoted to Chromium. Only Chromium and a few other choise needed executables may run or have network access.

    Chromium downloads the application, a setup.exe for the word processor. It saves it to my downloads directory, which is forced to start anything into my Downloads Sandbox. This sandbox has no restrictions on what can run, but allows NO network access.

    I decide to run the executable. It is forced into the Downloads sandbox. It installs fine. I start the program. It looks ok. I start Process Explorer and examine what is running. Does everything look OK? What is this new process, I have not seen it before. Where does it live? Is it tied to the program? I shut the program down, but see the new process still running.

    Hmm.

    I delete the contents of the Downloads sandbox. I will use InstallRite, and start it with the Downloads sandbox. Then, I start the setup again for the word processor. I monitor what happens during the setup with InstallRite. I make a save file of the install in InstallRite. I scan the system with InstallRite, then run the word processor, then scan again with InstallRite to see what has changed. I save this also.

    Now I can open Process Explorer and see if things are happening the same. I can look at the 2 'snapshots' that InstallRite made, and see every file created/modified/deleted, as well as registry values created/modified/deleted. I can see what happened during install and also what changed from when the word processor started.

    Maybe I see a dll got put into sys32. Maybe a registry entry showed a new service was installed. Maybe it is a bug, maybe not. I need to perhaps research what the dll is. Maybe at this point I want to submit the setup.exe to Jotti. Maybe I want to install MBAM. Maybe I want to start a VM and test in there with other tools. Maybe I want to start the whole process over but this time use something like Process Monitor to see what is happening.

    The point is, that I am familiar with what normally runs. I know how to look for things that might be "out of place". Sandboxie will inform me if outbound network activity is denied.

    At some point, I have to either trust it or not. If not, then I can scan it or something, or go heavy and open a virtual machine, with a full blown firewall and AV/AM scanner(s). Those tools do have thier place if you need them. But, do you need them 24/7?

    Does this give a better picture of how one might go about doing this?

    Sul.
     
  22. sbseven

    sbseven Registered Member

    Joined:
    Jan 30, 2011
    Posts:
    140
    Nicely written, Sul.

    I'd add that if the program installs into a sandbox and works OK and it's just a minor program or it will be rarely used, just leave it in the sandbox and don't bother transferring to your live system. After you've finished with the program, you can delete the sandbox and the program's gone without a trace.
     
  23. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    178
    @Sully:

    Very nice. I will try that probably this week/next. I never tried launching an app inside SBIE before (I have SBIE ver 3.52 paid). InstallRite is also new to me. Often when I want to try an app I use VirtualBox.

    Thanks to JB for this thread I learned another one here.

    You all have a good one :)
     
    Last edited: Mar 9, 2011
Loading...
Thread Status:
Not open for further replies.