What is the best way to install untrusted software?

Discussion in 'other software & services' started by sun88, Aug 27, 2009.

Thread Status:
Not open for further replies.
  1. sun88

    sun88 Registered Member

    Joined:
    Aug 27, 2009
    Posts:
    66
    n00b question here. I hope this is the right forum for it.
    Sometimes I have software that I can't be sure doesn't contain malware. Even if I scan it with virus checkers I'm not confident that it won't install some kind of malware.

    What's the best anti-malware software and/or methodology to install untrusted software so that when you finish you feel confident that your system is clean? Or if it's not clean, it's easy to revert.
     
  2. Best? That would be not to install it at all ;)

    If I had to test software I didn't trust, I'd probably do so under VMWare or VirtualBox, preferably hosted on Linux or UNIX.
     
  3. JohnnyDollar

    JohnnyDollar Guest

    Virtualization, either through a program like Returnal for example, or on a virtual machine like Virtual pc, or restore from an image that you took with imaging software like Acronis.
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Yep, smartest thing would be to avoid the untrusted stuff to begin with. But if you must do it, have an image before you install, and run a top AV and possibly some other scanners. IMO, it's no good living with the uncertainty at all, I'd avoid the unknown software and move on.
     
  5. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes, but how will you KNOW what it does in the virtual machine, or the real machine? The question IMO is not how safe you make your environment, but how do you actually find out what it is doing? Is it obvious, does it tamper with memory, does it try to phone home, does it modify files? You most likely have to give admin rights to install, so how do you know what it does then? My question exactly posted in the malware forum, which program to use (HIPS etc) that is granular but can be configured to make a report, so that when you install and run (in the virtual enivronment or not) you can get some idea as to what really happened without having to answer annoying popups because all you want to do is know if it was benign or malicious. I am playing with SSM to do that right now.

    Sul.
     
  6. majoMo

    majoMo Registered Member

    Joined:
    Aug 31, 2007
    Posts:
    938
    To do that I use:

    . Sandboxie - to analyze the installation I use SandboxDiff.

    or

    . Returnil - to analyze the installation I use Snapshots'System Explorer feature.

    :thumb:
     
  7. sun88

    sun88 Registered Member

    Joined:
    Aug 27, 2009
    Posts:
    66
    Yes, Sully, that's part of my question. Thanks for clarifying.
    By the way, what is this SSM that you are playing with?
    I also read a little about Shadow Defender which maintains your system integrity during an install, and makes it easy to revert, or so they say.

    And thanks to majoMo for that simple explanation of how to use sandboxie or returnil for checking installs.
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Hey, I did not know about sandbox diff, I will look into that.

    SSM is system safety monitor, a HIPS type of program capable of monitoring lots of things.

    I don't use Rnil, but that feature of exploring sounds nice. I have been using Shadow Defender, as I like the one-off license. It works very well, but there are no features like Rnil offers for exploring what happens. One thing I have been using it for instead of SBIE is to install a program, then go to the program folder created, and commit the folder. This saves the files to the hdd, and then on reboot the registry etc are gone leaving only the files. Makes a convenient way to test if the app is portable or not.

    Sul.
     
  9. sun88

    sun88 Registered Member

    Joined:
    Aug 27, 2009
    Posts:
    66
    I'm also keen on the idea of using a Virtual Machine to do the testing. Thanks guys for that suggestion. That way, after the install you can use scanning software to see if anything bad happened. I already have Ubuntu and Win 7 running as VM's. It's funny how I just couldn't see these straightforward ideas myself, before I asked the question. I was too confused by the plethora of security software that I've been reading about here. Now it's starting to come into focus.
     
  10. jonyjoe81

    jonyjoe81 Registered Member

    Joined:
    May 1, 2007
    Posts:
    829
    As long as the the program doesn't require a reboot, I use returnil. It installs the program in memory and will work like any normal program. This will give you a real world view of how the program will behave. When you reboot the program is gone.

    I do it all the time and works perfectly. You don't need sandboxie or all those other complicated programs.

    If the program requires a reboot, you need either a virtualbox type software (but then you would need to install a OS in the virtualbox and the installed program might not run to it's maximun potential in a virtualbox) or an imaging software and do a restore if you run into problems. The imaging is "overkill" for testing software and I don't use it, but it's an option.
     
  11. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yeah I use Sandboxie for installing mundane things a lot, like a pdf reader or something I want to try. It is easy to delete the sandbox. I use ShadowDefener in shadow mode all the time now, so I can also install things without reboot that way too.

    I tend to not think about using vmWare to actually use a program in, but more to segregate from the real world (a clean environment) or for just testing. For example, if I want to inspect a new firewall, or just a new version of one I tried before, I install in vmWare to see how it is. If I like it I can install it on the real system, but most often I just check things out to see how the interface is or how it performs in resources.

    I am playing currently with different methods to install somethign into vmWare, and use HIPS (SSM ATM) to 'log' what happened. This way if there is something suspicious I want to look at, or just to see how much unneeded 'bloat' a program will use, it is easy to see all that happens other than registry/file creations.

    Sul.
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Regardless of the method you choose, make a full system backup before installing unknown software. That way, you can always restore your system exactly as it was. There's always some risk when installing software. In addition to the risk of infection, there's always a chance that the new software will conflict with something on your system or change settings that you didn't want changed. Uninstallers rarely remove everything and often don't restore other settings such as file associations.

    The install process itself is only part of the problem. Some software downloads additional components when first started. All of the same issues are possible.
     
Loading...
Thread Status:
Not open for further replies.