Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| How do you determine if an app is safe or evil?
In an effort to avoid hijacking another thread I'm going to suggest we split off the discussion of how do you prove or disprove that an app is malicious or not.
Lots of people make claims that apps are safe or malicious, but what do they base such claims on, facts, personal experiences, hearsay, like/dislike for a particular company, technology etc. Now some people might not have noticed but I'm typically a believer of social systems (as bad as they might be, they often exist because nothing better is available), and this applies somewhat to my approach to applications (ie an app is innocent until proven guilty, but to do that we must prove an absence of guilt as that is the only way to prove innocence, burden of proof is on the prosecutor not the defendant, but of course if the defendant has a rap sheet in the software world then we don't use any of their software case closed).
So what do I do when I get a new application that I/we might want to use. First certainly I consider the source of the application and if I have any personal experience with that developer and secondly other people's comments (of course I consider the apparent credibility of the source, see below). If a second party makes a claim about an app, I then seek evidence to back their claim as IMHO too many people in IT (including IT spectators) just spew BS for BS reasons, which is hugely wasteful as then I have to spend time figuring out if its a valid claim or just someone wearing too much tin foil etc or if perhaps there are valid circumstances around their claim which may or may not apply to our situation.
Next depending on the application and the risk factor involved we will pen test the app ourselves and monitor its installation impact (ie what does it install and where, what/when/where/how stuff is started etc, also a good time to scan the heck out of it with X virus scanners etc and see if any of them report it as evil), and monitor it execution (ie what files does it touch, what network activity etc I might even consider fuzz testing it or using other tools to poke it to see how it reacts). This is also when we test its functionality and ultimately suitability for our needs (including other forms of testing including load testing etc). Now certainly virtual machines have drop the bar for applications entering pen testing as it used to be a real hassle setting up real machines and networks for testing (I've had companies in the past where we had multiple labs doing nothing more then testing), long live virtual machines. Now if an app is really 'interesting' etc I might pop the hood on the code and take a look at the exe, disassemble it, reflect it, whatever the technology it was written in requires to explore the app.
If an app passes these requirements we might decide to deploy or likely limited deploy in a test environment again monitoring various activities (including updates etc).
Now the point is after all of this is the application truly 100% safe, not a chance, but this is a fact of reality, that there is no way to prove an application is safe, but we have tested enough to claim due diligence. If someone knows of a way to prove an app 100% safe, I'd love to hear about it and build a company around that as I could use another gazillion dollars which is what the company would make being the only one in the world who could do this. So the assumption is that an app is safe (otherwise we would just skip it altogether, unless we are just feeling playful and wanted to experiment with evil which can be fun in and of itself), and then see if we can prove it unsafe, hence in the end all we can say about an app is based on our experience and testing (which being bound by reality is limited), the application appears to be safe (ie innocent until proven guilty).
Now this is why I hate unsubstantiated claims as to if software is malicious as then I have to look for evidence for their claim and often I can find nothing. So for example when I hear people claim that SysInternal's tools have become malicious since they were taken over by Microsoft, and I can find no evidence and my own testing isn't able to find evidence of this either, then ultimately their claim has resulted in little more then a huge waste of my time and resources and marks that source of information as a write off in the future.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| Thanks. Good post.
Yes, in general, it is very difficult to tell whether a program is safe. Recommendations by people who have proven trustworthy can be useful. If the program is an application with no special privileges, and run only as a limited user, then I won't be as concerned as I will be with software that runs with greater privileges.
So for example when I hear people claim that SysInternal's tools have become malicious since they were taken over by Microsoft, ... When I hear that kind of comment about software I take it as really saying, in exaggerated language, that the person is unhappy with the current version of the software.
It's unfortunate that people use such exaggerated language. But when they are angry their emotion sometimes overrule their reason. If they provide credible documentation that the program is malicious, I might then take it a bit more seriously.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.14 |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| reply to Link Logger
I use pretty much the same procedure I use when buying anything: read reviews and comments.
Sure, commentators can be biased, be clueless, etc., but I think you can get a good sense of how trustworthy they are by examining their commentary in general.
I suppose someone, somewhere, has to do the primary research. I guess you're one of those someones. Thanks on behalf of the rest of us. |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
1 edit | reply to Link Logger
Re: How do you determine if an app is safe or evil?
I'm no coder, so I can't look at it from that perspective.
But, if I'm in doubt...
1. google around for issues people may have had
1a. decide on risk vs need.
2. send to Virustotal of BEFORE installing if it's small enough
3. scan the heck out of it before installing if it's not.
4. disable Internet while installing and watch for hinky connections.
5. use Winpatrol, ProcessMonitor and TCPview to monitor during/after install for activity and new services or processes.
That's about it.
--
My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages |
|
Rebirth
join:2009-06-18
33333
| reply to Link Logger
Good question.
Even if software is quite, or even well known, it doesn't automatically make it safe or bad.
Here's an example of a fairly new app written by someone most of us had never heard of before.
PE GUARD V1.2 : A new program, to protect your exe files from viruses, also it will protect you from rootkits/new viruses with no updates needed;).
»opaida.110mb.com
As you can see from the www screenie it might not inspire confidence straightaway. If you discovered it from somewhere like softpedia you might be more likely to trust.
»www.softpedia.com/get/Antivirus/···RD.shtml
PE GUARD description
A handy application that protects your executable files from viruse infections, with no updates needed.
PE GUARD is a small program that protects you from:
· A virus/program trying to copy itself to your PC.(POWER mode only)
· A virus/program trying to inject itself into one of your PE(Portable Executable) files.(POWER & NORMAL mode)
· Any rootkit/program trying to write a new Driver (.sys) file in your PC. (POWER mode only)
How do I use PE GUARD ?
When an alert appears, the user can choose one action from three available actions:
· "ALLOW": Allow the process to get write access to the requested file.
· "REVOKE WRITE ACCESS": The process is allowed only to get read access to the
requested file.
· "PREVENT ANY ACCESS": Send Access Denied to the process.
Even then it's wise to try and check up some more, if you could ?
But i and others first discovered it on Wilders which has a good reputation for trying/testing new apps.
»www.wilderssecurity.com/showthre···=peguard
Sometimes you just get a good feeling about things and trust on intuition based on previous experiences. I havn't been dissapointed with it either, as it's a worthwhile lightweight addition.
Also take ALL those ARK's AntiRootKits that have appeared in the last 4-5 years wriitten by mostly unknown people. Not one of them was evil, in fact several then and since are still way better than mainstream products, and free. |
|
OZO
Premium
join:2003-01-17 | reply to Link Logger
What is a definition of an "evil" application? What makes it "evil"?
--
Keep it simple, it'll become complex by itself... |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
2 edits | said by OZO  :What is a definition of an "evil" application? What makes it "evil"? That are really good and valid questions..  |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
2 edits | reply to Link Logger
The other thread referenced above may be one where I posted, and I apologize if I was too dogmatic there and offended anyone.
Two questions are blended in your initial post, LL.
(a) what are the criteria for a program being "safe or evil"
(b) given a set of criteria, how can you tell whether the program meets them or not.
The title and most of your discussion address (b), but obviously you have to have an answer to (a) first, and it will to some degree influence the answer to (b). I think this is what OZO and Smokey Bear are getting at. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to OZO
said by OZO :What is a definition of an "evil" application? What makes it "evil"? That is sort of personal now isn't it and ultimately part of the problem given the classic answer is something like:
quote:
but my concept of malware is any software that is designed to behave contrary to its documentation, or to evade control and monitoring by the computer owner
but of course this is an open domain problem as often it is easier to define what something does, rather then what it doesn't do (or what you think it doesn't do). Its like I tell you that guy over there might be a risk, but what kind of risk, a gun, bomb, bio weapon, or he is going to steal your pet, its an open domain problem, so you frame the consequences that you think are reasonable give the environment in which the software operates and go from there. In the case of software often we describe a particular function the software performs and then based on that, deem it 'evil' (again we are back to the claim/proof thing).
So given the linage of this thread lets say 'evil' is whatever people claim SysInternal's software does now that Microsoft has taken them over, but this again highlights the problem, people labeling a piece of software without proof. Now my statement of proof that it wasn't 'evil' is based on my personal experience, and some testing but is still somewhat limited to my own personal experience, but its enough to make me feel comfortable with using SysInternal's software and question the abilities of others (or myself in that perhaps I'm missing something they aren't).
Ultimately there must be a public opinion definition of evil as people chuck it around like candy on Halloween.
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
1 edit | reply to Link Logger
If Glenn Beck and freerepublic says it's malicious, I can be pretty sure it isn't. »www.freerepublic.com/focus/chat/···45/posts |
|
DaMaGeINC
The Lan Man
Premium
join:2002-06-08
Greenville, SC
clubs:
·Charter Pipeline
·AT&T Southeast
| reply to Link Logger
For me, it depends on the site that it comes from. Say I visit a site for a program and get bombarded with ad's, I immediately leave and try another. My reason is that a site with a program and relies heavly on ad's to make money, whos to say they wont put adware in their programs too?
--
Have a Networking problem or question? Stop by the Networking Forum and let us help you. |
|
Erg
Too lazy for idealism
join:2008-01-19
| reply to Link Logger
From a regular user's point of view, I usually rely on reviews and comments from the app's page or download page. I tend to download from Filehippo, Softpedia and CNET. I also check with dslr first since I know that folks here are pretty security-savvy. Doing a scan wont hurt too
--
"Ye shall know the truth, and the truth shall make you mad."
-Aldous Huxley |
|
Serbtastic
You Know How Many People I Have Buried?
Premium
join:2002-02-24
Stoney Creek | reply to Link Logger
I usually check the good/evil switch on the back. |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
1 edit | reply to Link Logger
I'm just now reconsidering the title of this thread. It's a little strange since 'evil' is not the opposite of 'safe'.
You can, for example, have an evil app that's safe, because it is designed by the clueless. (For a non-app example, the average Nigerian scam email is both evil and safe).
You can have a non-evil app that is not safe, because it is designed by the clueless and wrecks your system.
I think I'm mostly interested in the safe/unsafe axis: will it do bad things to my system? |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA | reply to Link Logger
If it is open source, by looking at the source code. And as need be, getting help understanding the code..
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
KodiacZiller
join:2008-09-04
73368
| said by aefstoggaflm :If it is open source, by looking at the source code. And as need be, getting help understanding the code.. That doesn't count because we are talking about Windoze software, most of which is closed-source and will always be. Even so-called "freeware" is often times closed-source. |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to Link Logger
How about some examples? These are based on the above-quoted criterion.
* Hypothetically, let's say Sysinternals Process Explorer purports to list all the processes on Vista (by implication if not by an explicit claim), but in reality it omits some from the list.
- Verdict: "evil" (LL term) because it intentionally deviates from (implicit) documentation.
* Sony rootkit
- Verdict: "evil" because it is designed to evade knowledge and control by the system owner.
* WGA: Maybe I install this voluntarily, and its documentation discloses what it does. But then, later, I decide I don't want it anymore.
- Verdict: "Evil" because it is designed to obstruct control (in this case removal) by the system owner.
* IceWeasel: Installed, then later, because of a bug, it deletes data or is hijacked by cyber-criminals.
- Verdict: Not "evil": The bug was accidental; the app was not designed to do this, nor was it knowingly represented. |
|
OZO
Premium
join:2003-01-17
|  Good examples!
Here is yet another one:
* Microsoft Word 2003 (or Excel, for that matter).
From one side it's a "good" application. But from the other side time to time it makes unsolicited Internet connections.
- Verdict: "evil" because it exhibits completely unexpected behavior for such application (word processor) and there is no way to stop it except to run outbound firewall and make a specific rule for that application... And, BTW, it may require a special "cleanup" tool to remove your personal data from the files saved, which you may not expect either... Certainly "evil"
--
Keep it simple, it'll become complex by itself... |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| Would unsolicted internet connections to check for updates be consider 'evil'?
One man's evil, another man's gold.
So I see the crew over at SubSeven is starting work on version 2.3, is SubSeven considered evil?
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
