which is the best way to run a suspicious file?

Diver · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

Running the file in Sandboxie gives your AV a chance to scan it if the AV can not unpack the file. You can also look at what the program does to the sandbox and there is a way to check the registry entries by loading the hive into regedit.

Another method is to run the program in a VM with a HIPS enabled and see what kind of warnings the HIPS throws off.

Both of these take some technical knowledge to separate ordinary software from malware.

Chris12923 · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

Behavior blockers are a good layer but not exceptional for foolproof protection. I still recommend an ISR program and defensewall and if not that then at least a sandbox type app like sandboxie http://www.sandboxie.com/ or bufferzone http://www.trustware.com/ . Not much after that I would recommend for what you are trying to do in my opinion. Yes you could use a vm but they have their flaws to and take more time than what I mentioned above. Also you have to remember no everything can run in defensewall or sandboxie/bufferzone. So the ISR will have you covered in the case save for very very rare malware.

Thanks,

Chris

Howard Kaikow · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

mantra said:

Hi
I have a question

which the best way to run a suspicious file?

well i agree " don't Run "

but at work if i have to do it , to be safe what can i do ?

run under a virtual system?
or?
i would like if you want to share with me your skill

thanks
Click to expand...

Do an image backup of the system.
Run the suspect software.
Do a full auntie virus scan.
Restore the system from the image.

However, even if things seem to go OK, you have no way of knowing what dastardly acts have taken place, or seeds planted, that might bite you in the back rank, to use polite chess terminolgy, at a later time.

If you do not trust the software, then do not run the critter.

Chris12923 · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

Yes you could do that but depending on your used drive size it could be a while... Small used space not to long but much used space and get a lunch. Depending on what program you use to backup and restore maybe get dinner Not knocking howards suggestion just informing you of the negatives as well.

Thanks,

Chris

mantra · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

Diver said:

Running the file in Sandboxie gives your AV a chance to scan it if the AV can not unpack the file. You can also look at what the program does to the sandbox and there is a way to check the registry entries by loading the hive into regedit.

Another method is to run the program in a VM with a HIPS enabled and see what kind of warnings the HIPS throws off.

Both of these take some technical knowledge to separate ordinary software from malware.
Click to expand...

thanks
I tought a program like Threatfire http://www.threatfire.com/

mantra · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

Chris12923 said:

Behavior blockers are a good layer but not exceptional for foolproof protection. I still recommend an ISR program and defensewall and if not that then at least a sandbox type app like sandboxie http://www.sandboxie.com/ or bufferzone http://www.trustware.com/ . Not much after that I would recommend for what you are trying to do in my opinion. Yes you could use a vm but they have their flaws to and take more time than what I mentioned above. Also you have to remember no everything can run in defensewall or sandboxie/bufferzone. So the ISR will have you covered in the case save for very very rare malware.

Thanks,

Chris
Click to expand...

yes thanks
i will do it , but i have everytime a service installed or sandboxies or defensewall i will use it one or twice at month

by the way defesewall seems the best

Chris12923 · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

mantra said:

yes thanks
i will do it , but i have everytime a service installed or sandboxies or defensewall i will use it one or twice at month

by the way defesewall seems the best
Click to expand...

Yes unfortunately but if you need the security...

Thanks,

Chris

Peter2150 · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

Been meaning to pop into this thread, since I've been playing with stuff like this. Couple of points.

Assuming you don't know, you have to assume the worst, but also know at the end what you have.

First, the ISR programs, are at best marginal. FDISR, RB/EAZfiz. Some of the stuff might get under them, or mess with your other disks.

Behavior blockers/Sandboxes will indeed protect your system, but then you may not be sure what the software actually did.

What I have done, is first protected my host with either Returnil or ShadowDefender. Then go into a VM ware VM machine. Then I use just SSM with non install/learning mode. I use SSM cause it's the noisest. I then click thru and watch what it does. Certain actions become very obvious and very suspect. For example, modifing the registry to disable taskmgr, and all registry editing tools. Also writing a program file to the e:\recyler area is up there on suspicious. Only problem with this of course is when done you are infected. Not an issue with VMware VM machines.

If I was still suspicious, but need to try it on the host. First I would imaging being sure I can restore All partitions, MBR,Track 0, and disk signature. I use Shadowprotect for this. Would also image the D drive. Then I would use ShadowDefender to shadow all the drives. Returnil currently only protects the c: drive, but that change is in the works, so I am told. With these precautions, I'd again test with SSM to watch and again see what the program does on install.

Above all, assume the worst, and be careful.

Pete

Chris12923 · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

Peter2150 said:

Been meaning to pop into this thread, since I've been playing with stuff like this. Couple of points.

Assuming you don't know, you have to assume the worst, but also know at the end what you have.

First, the ISR programs, are at best marginal. FDISR, RB/EAZfiz. Some of the stuff might get under them, or mess with your other disks.

Behavior blockers/Sandboxes will indeed protect your system, but then you may not be sure what the software actually did.

What I have done, is first protected my host with either Returnil or ShadowDefender. Then go into a VM ware VM machine. Then I use just SSM with non install/learning mode. I use SSM cause it's the noisest. I then click thru and watch what it does. Certain actions become very obvious and very suspect. For example, modifing the registry to disable taskmgr, and all registry editing tools. Also writing a program file to the e:\recyler area is up there on suspicious. Only problem with this of course is when done you are infected. Not an issue with VMware VM machines.

If I was still suspicious, but need to try it on the host. First I would imaging being sure I can restore All partitions, MBR,Track 0, and disk signature. I use Shadowprotect for this. Would also image the D drive. Then I would use ShadowDefender to shadow all the drives. Returnil currently only protects the c: drive, but that change is in the works, so I am told. With these precautions, I'd again test with SSM to watch and again see what the program does on install.

Above all, assume the worst, and be careful.

Pete
Click to expand...

Peters idea will work if you have lots of time and you know what your looking at in your hips logs. Also as far as some stuff getting under some ISR software please search for these exploits which are not many actually they might all be POC's at this point. Now look for vmware security alerts. There are more and some have been used.

But remember nothing is perfect. It's possible you make a backup run the suspicious file it is malicious so you reload your image and it is corrupt. Now you have problems. Now you could make image try to restore image if it works install suspicious file then restore image again... getting tedious. Not saying you will have a corrupt image but it is possible.

Thanks,

Chris

Chuck57 · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

Almost everything that doesn't need a reboot, I use Sandboxie.

If it's something really, really suspicious that I've downloaded or a reboot is needed, I'll use VirtualBox. I like it, and for whatever reason I find it easier to use than VMware. So far, it's held up it's end and not failed me.

Both drove me nutty initially but when I finally gave up and read the instructions, things resolved themselves. VirtualBox just seems the friendlier of the two, in my case.

Peter2150 · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

Chris12923 said:

But remember nothing is perfect. It's possible you make a backup run the suspicious file it is malicious so you reload your image and it is corrupt. Now you have problems. Now you could make image try to restore image if it works install suspicious file then restore image again... getting tedious. Not saying you will have a corrupt image but it is possible.

Thanks,

Chris
Click to expand...

Not quite sure what you are saying here. That you might not be able to restore the image. That shouldn't be a problem, but some stuff can corrupt the drive so you can't restore without totally wiping it first. Other than that I've never had a restore failure with Shadowprotect.

I also agree you have to know what you are looking for with the HIPS alerts, but this is one area if you don't, you shouldn't be playing.

Pete

Chris12923 · Feb 28, 2008

Re: wich is the best way to run a suspicious file?

Peter2150 said:

Not quite sure what you are saying here. That you might not be able to restore the image. That shouldn't be a problem, but some stuff can corrupt the drive so you can't restore without totally wiping it first. Other than that I've never had a restore failure with Shadowprotect.

I also agree you have to know what you are looking for with the HIPS alerts, but this is one area if you don't, you shouldn't be playing.

Pete
Click to expand...

Just take a look in the acronis forum and you can see that there can be an issue restoring images. If he can afford shadowprotect or already has it then this would probably be the better of the imaging apps.

As for the hips your right as in you shouldn't be relying on hips if your not sure what the alerts mean that's why I recommend using something a bit easier as the OP does not sound like he is may not be just learning the security game. Eventually maybe he can move up to hips.

Thanks,

Chris

mantra · Feb 29, 2008

Re: wich is the best way to run a suspicious file?

Peter2150 said:

Been meaning to pop into this thread, since I've been playing with stuff like this. Couple of points.

Assuming you don't know, you have to assume the worst, but also know at the end what you have.

First, the ISR programs, are at best marginal. FDISR, RB/EAZfiz. Some of the stuff might get under them, or mess with your other disks.

Behavior blockers/Sandboxes will indeed protect your system, but then you may not be sure what the software actually did.

What I have done, is first protected my host with either Returnil or ShadowDefender. Then go into a VM ware VM machine. Then I use just SSM with non install/learning mode. I use SSM cause it's the noisest. I then click thru and watch what it does. Certain actions become very obvious and very suspect. For example, modifing the registry to disable taskmgr, and all registry editing tools. Also writing a program file to the e:\recyler area is up there on suspicious. Only problem with this of course is when done you are infected. Not an issue with VMware VM machines.

If I was still suspicious, but need to try it on the host. First I would imaging being sure I can restore All partitions, MBR,Track 0, and disk signature. I use Shadowprotect for this. Would also image the D drive. Then I would use ShadowDefender to shadow all the drives. Returnil currently only protects the c: drive, but that change is in the works, so I am told. With these precautions, I'd again test with SSM to watch and again see what the program does on install.

Above all, assume the worst, and be careful.

Pete
Click to expand...

well i don't understand very well english
but thanks for your great tutorial
1) isr are not the best bet , right?
2)Behavior blockers/Sandboxes? which is the best?

Peter2150 · Feb 29, 2008

Re: wich is the best way to run a suspicious file?

mantra said:

well i don't understand very well english
but thanks for your great tutorial
1) isr are not the best bet , right?
2)Behavior blockers/Sandboxes? which is the best?
Click to expand...

1) Depends on what the file in question does, but some nasties can get by them.

2) Best is subjective. What I do is use Sandboxie, which contains everything, and allows me to delete it. I also use Online Armor, as my firewall/HIPS, and it has a Run Safer option to run select programs at lower rights. I use it on IE,Opera, and Outlook. This also will protect against the nasty tricks. In essence double protection.

But note neither of these approaches will identify the file as good or bad. You will have to watch it to determine that. If you can't then you need a standard AV type of program also.

Pete

mantra · Feb 29, 2008

Re: wich is the best way to run a suspicious file?

Peter2150 said:

1) Depends on what the file in question does, but some nasties can get by them.

2) Best is subjective. What I do is use Sandboxie, which contains everything, and allows me to delete it. I also use Online Armor, as my firewall/HIPS, and it has a Run Safer option to run select programs at lower rights. I use it on IE,Opera, and Outlook. This also will protect against the nasty tricks. In essence double protection.

But note neither of these approaches will identify the file as good or bad. You will have to watch it to determine that. If you can't then you need a standard AV type of program also.

Pete
Click to expand...

you know that the sandboxie service in auto gives me many issue

Chris12923 · Feb 29, 2008

Re: wich is the best way to run a suspicious file?

We have given some opinions to help. I don't think there is much more that can be said. You are the only one that can make the choice on what runs good on your system and works best for you.

Thanks,

Chris

mantra · Feb 29, 2008

Re: wich is the best way to run a suspicious file?

Chris12923 said:

We have given some opinions to help. I don't think there is much more that can be said. You are the only one that can make the choice on what runs good on your system and works best for you.

Thanks,

Chris
Click to expand...

yes , really tanks to all of you
really very appreciate it

this is the best forum

mantra · Feb 29, 2008

Re: wich is the best way to run a suspicious file?

Peter2150 said:

1) Depends on what the file in question does, but some nasties can get by them.

2) Best is subjective. What I do is use Sandboxie, which contains everything, and allows me to delete it. I also use Online Armor, as my firewall/HIPS, and it has a Run Safer option to run select programs at lower rights. I use it on IE,Opera, and Outlook. This also will protect against the nasty tricks. In essence double protection.

But note neither of these approaches will identify the file as good or bad. You will have to watch it to determine that. If you can't then you need a standard AV type of program also.

Pete
Click to expand...

i found a portable version of sandboxie and it works great

MrBrian · Mar 1, 2008

Re: wich is the best way to run a suspicious file?

I would recommend to first scan the suspicious file with your anti-malware scanning software. If nothing suspicious is reported by any of them, then upload the suspicious file if it's less than 10 MB to VirusTotal, which uses quite a number of anti-malware scanning engines. If nothing suspicious is reported by VirusTotal, I would recommend then uploading the suspicious file to Bit9 FileAdvisor to see if it's on their whitelist or blacklist. If it's not on their blacklist or whitelist, or if it's on their whitelist but you're still not comfortable, then I would recommend running the suspicious program in a virtual machine with ThreatFire and some anti-malware scanning engines installed. ThreatFire is a good choice because it alerts usually only when there really is a malware issue. I agree with a previous post, that if you're technically inclined, in the virtual machine also use a HIPS that detects single actions, such as Comodo Firewall 3. If nothing suspicious happens in the virtual machine, then I recommend also testing in your real machine, because some malware detects virtual machines and purposely won't behave badly in the presence of one. Run the suspicious program in your real machine with Returnil on (if the suspicious program requires no reboots to install), with ThreatFire installed, and, if you're technically inclined, a "single action" HIPS such as Comodo Firewall 3 installed. If the suspicious program requires a reboot, you could substitute Windows SteadyState disk protection for Returnil. If nothing suspicious happens in the real machine with disk protection on (by using Returnil, Windows SteadyState, or similar programs), then you can turn off the disk protection program and install and use the program normally.

Before you install in your real machine, make sure you have a recent system backup stored away from your hard drive(s); DriveImage XML on UBCD for Windows is a free program that can make system backups. There are free programs that let you upload to Bit9 FileAdvisor or VirusTotal from a context menu; see http://www.virustotal.com/metodos.html and http://fileadvisor.bit9.com/services/help.aspx?topic=fileadvisor.

mantra · Mar 1, 2008

Re: wich is the best way to run a suspicious file?

MrBrian said:

I would recommend to first scan the suspicious file with your anti-malware scanning software. If nothing suspicious is reported by any of them, then upload the suspicious file if it's less than 10 MB to VirusTotal, which uses quite a number of anti-malware scanning engines. If nothing suspicious is reported by VirusTotal, I would recommend then uploading the suspicious file to Bit9 FileAdvisor to see if it's on their whitelist or blacklist. If it's not on their blacklist or whitelist, or if it's on their whitelist but you're still not comfortable, then I would recommend running the suspicious program in a virtual machine with ThreatFire and some anti-malware scanning engines installed. ThreatFire is a good choice because it alerts usually only when there really is a malware issue. I agree with a previous post, that if you're technically inclined, in the virtual machine also use a HIPS that detects single actions, such as Comodo Firewall 3. If nothing suspicious happens in the virtual machine, then I recommend also testing in your real machine, because some malware detects virtual machines and purposely won't behave badly in the presence of one. Run the suspicious program in your real machine with Returnil on (if the suspicious program requires no reboots to install), with ThreatFire installed, and, if you're technically inclined, a "single action" HIPS such as Comodo Firewall 3 installed. If the suspicious program requires a reboot, you could substitute Windows SteadyState disk protection for Returnil. If nothing suspicious happens in the real machine with disk protection on (by using Returnil, Windows SteadyState, or similar programs), then you can turn off the disk protection program and install and use the program normally.

Before you install in your real machine, make sure you have a recent system backup stored away from your hard drive(s); DriveImage XML on UBCD for Windows is a free program that can make system backups. There are free programs that let you upload to Bit9 FileAdvisor or VirusTotal from a context menu; see http://www.virustotal.com/metodos.html and http://fileadvisor.bit9.com/services/help.aspx?topic=fileadvisor.
Click to expand...

thanks for your great answer
well it's the first time is meet fileadvisor.bit9.com
Returnil is a virutal machine? but for sure is not free

Peter2150 · Mar 1, 2008

Re: wich is the best way to run a suspicious file?

mantra said:

Returnil is a virutal machine?
Click to expand...

No it isn't. It sort of virtualizes your computer. A virtual machine is a completely separate machine running it's on operating system.

mantra · Mar 1, 2008

Re: wich is the best way to run a suspicious file?

Peter2150 said:

No it isn't. It sort of virtualizes your computer. A virtual machine is a completely separate machine running it's on operating system.
Click to expand...

thanks
but i guess is not free for home right?

lucas1985 · Mar 1, 2008

Re: wich is the best way to run a suspicious file?

Returnil is free for home use.

mantra · Mar 1, 2008

Re: wich is the best way to run a suspicious file?

lucas1985 said:

Returnil is free for home use.
Click to expand...

WOW

ps why don't make a sticky topic with the best software and maybe the free home version

MrBrian · Mar 1, 2008

Re: wich is the best way to run a suspicious file?

mantra said:

thanks for your great answer
well it's the first time is meet fileadvisor.bit9.com
Returnil is a virutal machine? but for sure is not free
Click to expand...

You're welcome. All of the software mentioned in my post is free.

Returnil transparently redirects file writes to memory or free space on your hard drive, so when you reboot, any changes made to your system partition (only) are gone! The real files on your system partition are not changed when Returnil protection is on.

If you're unsure of how to use a virtual machine, you could skip that step and use Returnil instead, because Returnil might be easier for you. But beware, that if you do experience malicious behavior, Returnil protects just the partition with windows on it, and also any data that gets stolen out of your machine can't be undone by a reboot. That's why it's better to use a virtual machine first if you can. VirtualBox is free virtual machine software, although I haven't personally used it.

Log in or Sign up

which is the best way to run a suspicious file?

Diver Registered Member

Chris12923 Registered Member

Howard Kaikow Registered Member

Chris12923 Registered Member

mantra Registered Member

mantra Registered Member

Chris12923 Registered Member

Peter2150 Global Moderator

Chris12923 Registered Member

Chuck57 Registered Member

Peter2150 Global Moderator

Chris12923 Registered Member

mantra Registered Member

Peter2150 Global Moderator

mantra Registered Member

Chris12923 Registered Member

mantra Registered Member

mantra Registered Member

MrBrian Registered Member

mantra Registered Member

Peter2150 Global Moderator

mantra Registered Member

lucas1985 Retired Moderator

mantra Registered Member

MrBrian Registered Member

Log in or Sign up

which is the best way to run a suspicious file?

Diver Registered Member

Chris12923 Registered Member

Howard Kaikow Registered Member

Chris12923 Registered Member

mantra Registered Member

mantra Registered Member

Chris12923 Registered Member

Peter2150 Global Moderator

Chris12923 Registered Member

Chuck57 Registered Member

Peter2150 Global Moderator

Chris12923 Registered Member

mantra Registered Member

Peter2150 Global Moderator

mantra Registered Member

Chris12923 Registered Member

mantra Registered Member

mantra Registered Member

MrBrian Registered Member

mantra Registered Member

Peter2150 Global Moderator

mantra Registered Member

lucas1985 Retired Moderator

mantra Registered Member

MrBrian Registered Member

Useful Searches