which is the best way to run a suspicious file?

Email it to one of your ex-spouses and if they are still capable of replying, it is propbably safe?

 

With basic security measures, you'll be fine. BTW, VMware (the most popular VM) hasn't been breached "in the wild".

Of course

I DO use VMs without fear.

 

Hi Lucus:

Thanks a lot. When I get a new PC (someday ) I'll try the VM on a separate box till I gain confidence in it! When that day comes I'll ask you again about your VM hints!

See ya!

 

Thanks Pete:

I'm not up to you on VM's yet. Over the last 5 years I've moved from only AV's to AV plus FW to AV plus FW plus HIPS and now have an ip blocker as well. Oh yes and the image backups ( thank G... for those)

But VM's, nope not yet. I suspect I'll like them when I get there. Don't understand them yet and haven't tried to learn.

 

In an earlier post I mentioned SysAnalyzer. One of the features it has is recognition of virtual machine detection code. Malware nowadays apparently often uses virtual machine detection code, while non-malware I believe does not. Thus, if such a signature is detected, the suspicious file should be regarded with high suspicion. If anybody knows of any other software that has similar capabilities, please share.

 

as is expected the more virtual environments in use,the more virtual aware malware is created,looks bad for test and research,but the battle keeps continuing until.......to no end.

 

Given this, it makes the 100% separate physical PC for testing look like the safest option if the virtual aware malware has cracked VM's

 

Hey guys, don't fret please. VM's are still great for software testing but for malwares? especially new ones designed to detect when they are in a VM, just do yourself a favor and pick up a used hard drive, theres nothing to lose because many shops are happy to unload them and get them out of their way since they replace many with new ones for customers.

Then test your malware samples on them. They will run just fine and give you the show you expect of malicious creations.

 

VM-aware malware don't crack the VM. If a VM-aware malware detects that it's running on a VM, it won't display malicious behaviour (sometimes if malware detects a VM it won't even run) because VMs are used by AVs scanning engines, malware researchers, honeypots, etc.
It's a trick to avoid being analyzed by the good guys (fly low to evade the radar)

 

Correctamongo!!

While they are of some use for some malwares, today's more intuitive makers of these disruptors know to build in a neutralizer whenever a VM is detected and is why i research malware on pure hard drives, used ones of course. LoL

 

Hi Easter and Lucas:

Hmmm, let say I do this and get a used HD, what exactly do I do ?( bad wording)

Install it as a second drive on my main live data PC? Sorry to be stupid on this but what exactly would I do, put the baddie on the used drive and pray that it won't impact the rest of my PC?

Straighten me out please! My lack of expereince with VM is showing but I don't claim any so it doesn't matter

 

If you're going to use a second HDD as a malware honeypot, first disconnect every other HDD (internal and external) in your system. This way, nothing can spread out of the "zoo".

 

Right and by the time I do that and pass the zoo animals though my CPU to get to the honey drive I may as well do it on a separate PC. Since I don't want to spend my time hooking and unhooking drives

I'm back where I started now!

 

I just use a single drive and infect the tar out of it. It's sometimes helpful to make an extra partition and use some good app to lock it or else remove it via Paragon or another image program that can "hide" it from windows. then let all heck fly and review how your security apps handle the mess or not.

Unless i had a second Slave drive that i don't mind wiping and reformatting again, you can observe if it also becomes affected or not but make darn sure you don't FAT formatted like i did recently.

I tested some mean samples on the main NTFS file system and later discovered the second drive i formatted FAT was a total wreck.

 

The points by EASTER are good ones and I don't disagree. My focus in my last post about SysAnalyzer, however, was not where to test malware, but how to tell if a particular program is malware. If a particular program is found to have code that detects the presence of virtual machines, wouldn't that make the program rather suspicious? SysAnalyzer can run in either a physical or virtual machine. I was also asking the other forum members if anyone has knowledge of any other similar software that does this.