4

When I run an anti-virus scan (Kaspersky in this case) on an (InnoSetup) installer, it scans multiple "data" objects which seem to be the files within the installer: Anti-virus scanning "data" objects in installer

This gives the impression that it would detect a malicious program even before running the installer.

Can I rely on the anti-virus software detecting a malicious program within an installer when scanning just the installer? Even if the installer is password protected and encrypted?
Or do I need to scan the installed files as well?

Note: I know that it is dangerous to run an installer from an untrusted source. In my special scenario, the installer itself is created by a trusted source but the contents are not necessarily trusted.

Ignitor
  • 141
  • 4
  • 1
    Well, and what's the other option? – Aria Sep 23 '16 at 13:27
  • The other option would be to run the installer and then scan the installed files. – Ignitor Sep 23 '16 at 14:35
  • 1
    OK so if you can run installer in Sandox (vmware of wine), then you will have a lot better detection. Today cloud AVs can detect installers that they have malware, however, if this malware is optional, they might not show it always without installing it. – Aria Sep 23 '16 at 15:02
  • That's based on experience in Internet Cafe. There used to be plenty of software people asked to install and the detection was various - but installers are allowed to run most of the time until they try to install malware. If it's optional, it's possible to install it with AV running, if not (as some software has it), then it's impossible to install it. – Aria Sep 23 '16 at 15:04
  • Sometimes installation files are being detected just on their SHA-2 checksum (with cloud antiviruses), but that's for the very most malicious, dangerous packages from non-reputable organization. – Aria Sep 23 '16 at 15:05

2 Answers2

1

Here's something important: in an information security field, a "trusted source" is not only a source which, as you believe, won't cause you any harm intentionally. It's also a source which won't cause you harm occasionally due to ignorance or carelessness.

"A source which can provide an installer with untrusted contents" sounds like a definition of an untrusted source. Even if it's, say, your father or sister, you still need to assess the information security threats based on how much do they know about information security, not only on how much do you trust your close relatives in general.

If your close relative has just downloaded an installer somewhere and then sent it to you, it still doesn't come from a trusted source in any sense. So it's still better to avoid running it.

ximaera
  • 3,395
  • 8
  • 23
  • I know that. I changed the wording in my question a bit: actually, the installer *is created* by a trusted source but with untrusted content. So I can be sure that the installer itself will not do anything harmful but I cannot be sure that the files it installs are harmless. – Ignitor Jan 18 '18 at 09:04
  • What's the difference? – ximaera Jan 18 '18 at 09:06
  • The difference is: can be sure it is harmless to run the installer. I just cannot be sure to it is harmless to use/execute the files it installs. – Ignitor Jan 18 '18 at 09:07
0

Depends on the scanning capabilities of your antivirus (/antimalware) program. If it merely looks at snippets within the executable to match against known signatures; then probably now. Assuming that "signatures" won't be seen when compressed / encoded / encrypted.

If your antimalware program looks at behavioral characteristics, and most decent ones do, it will most likely see what happens when this installer is executed. Plus, several installers are known and well documented file formats and antimalware products know how to analyze its contents.

A decent anti malware program however will also look at behavioral characteristics. If files are extracted to disk, they will be scanned when written or executed.

Bottom line, it's relatively easy to bring malware onto a machine. But decoding / deploying and executing it would be the challenge.

The most ideal case is signing your binaries - so you know that they haven't been tampered with and re-packaged in an installer program like InnoSetup.

ndrix
  • 3,206
  • 13
  • 17
  • "several installers are known and well documented file formats and antimalware products know how to analyze its contents". So in my case, i.e. Kaspersky + InnoSetup, you would say that it analyzes the contents and I do not need to scan the installed files explicitly? – Ignitor Sep 23 '16 at 20:57
  • I don't use Kaspersky, so I can't test it, but their real time protection should look at all copied files and analyze its behavior when executed. Of course, if you have it enabled. – ndrix Sep 23 '16 at 21:31
  • 1
    Deploying and executing malware is actually the easiest part. To avoid AV looking into an installer, it's simple enough to use a custom archive format (or even a standard format with a modified header). Malware has been bypassing AV in this sort of way for ages. Even in the past, zip bombs were used to prevent AV from looking too deep. – forgetful Oct 20 '17 at 06:12
  • For malware authors, the hard part actually *is* getting it onto a machine. Some low-quality stock trojans may be distributed in torrents, but that only gets a small number of people. Others will be distributed through browser exploits, worms, infected ads, infected websites, etc., and this is how the largest infections tend to be distributed. I could write malware in 30 minutes that could bypass any AV, but I could probably only infect a few hundred, maybe thousand people without a more advanced method of distribution. – forgetful Oct 20 '17 at 06:15