How do I check if a program can potentially be a virus?

4

6

I am running Windows XP in a VM. I want to download a few applications and install the one by one and check if they potentially can be a virus. I assume virus would need to add something to the startup folder, or the application in the startup section in the registry or add a service. What else might it do to become active?

Anyway, how can I check to see if a program may be a virus? I use hijack this to get a list of processes and I simply compare it from before I installed to after and see if there's anything different. Is this good enough? My main OS is Windows 7 but I do not have that in a VM and don't see a reason to test with that.

user3109

Posted 2010-02-14T09:33:34.243

Reputation:

4Bear in mind that determining whether a program is or is not a virus is essentially equal to the halting problem: you can solve it in special cases, and you can get pretty confident in many more cases, but it's generally not possible to be certain. – David Thornley – 2010-02-15T14:53:32.533

Answers

4

It's not easy to deal with suspicious files, the first thing to advise it's to rather use an alternative secure source.

However if you want to test the file in a VM, here are some good tools:

All-In-One System Explorer:

Other usefull tools:

But finally, the only way to be sure is to disassemble the software and understand the asm code, a very fastidious task. So return to the first advice...

fluxtendu

Posted 2010-02-14T09:33:34.243

Reputation: 6 701

3

Monitoring processes alone is not enough. Malicious programs can attach themselves to running processes so you wouldn't notice a difference.

Maybe install an antivirus in the VM? Avira has a free version which should be up to the task. If you don't feel like installing anything, maybe an online scanner would be more suitable.

John T

Posted 2010-02-14T09:33:34.243

Reputation: 149 037

I am worried that an antivirus wont recognize it as a virus. – None – 2010-02-14T09:41:00.530

AV's that use heuristics are generally better at this. They try to pick up on suspicious behavior rather than only using a virus database to compare against. I believe avira uses heuristics. If you're really scared you can run such programs in a sandbox with sandboxie ( http://www.sandboxie.com/ ).

– John T – 2010-02-14T09:49:57.687

@acidzombie24 If antivirus doesn't recognize it, why would you? – ceejayoz – 2010-02-14T19:33:27.460

@ceejayoz because he's smarter than a piece of software – fluxtendu – 2010-02-15T00:00:32.690

@fluxtendu And yet, brute forcing beats Gary Kasparov in chess. Same is true with viruses, generally - there are so many varieties, doing so many things, using so many sneaky techniques, that antivirus is likely to be far better at catching them. – ceejayoz – 2010-02-15T12:27:33.900

@ceejayoz well maybe the virus may see no harmful actions cause by the program but i wouldnt like to see it add itself as a service which i think is suspicious or at least degrading my performance. -edit- i am using virus total now to check first which seems to be doing well. – None – 2010-02-15T13:09:43.197

@ceejayoz also virus checks are stupid sometimes. I had a bad virus which wasnt marked as a virus which spawn processes as fast as i kill them and didnt allow me to remove it from the registry and did other crazy stuff. I wonder how on earth it WASNT found. But i could see if it add itself to the registry or launches a process on startup easily. – None – 2010-02-15T13:11:46.003

@ceejayoz I know that antivirus are essential tools to deal with viruses, but even the better aren't perfectly efficient. And my point is that someone computer literate with the good tools could find those who have gone through. – fluxtendu – 2010-02-15T13:42:36.133

2

Post-detection is not really useful; a virus is likely to mess with your system immediately and you don't want to get to that point of having a rampant problem (excessively duplicating processes, stripped icons on .exe files, repeated system errors with no apparant reason, busy internet connection ....)

The best security is prevention: avoid untrustworthy sources such as public peer-2-peer, free download hosts (rapidshare, etc.), direct blog links and e-mail attachments. Although some software search sites are legit, some are definitely not - if you find something interesting, seek the author's website and download from there instead!

Try a sandbox software to run the application without the ability to do unwanted changes. A test VM with no write access to your main drives remains a reliable way to test something without having to mess with rights - you can really let it in the wild.

Finally, a good old virus/spyware scan never hurts...

mtone

Posted 2010-02-14T09:33:34.243

Reputation: 11 230

Thats what i have been doing except using VMware as my VM instead of sandboxie. Right now theres are apps i want to use on my main machine, so this question is to find out how i can check before moving. So you recommend just using a antivirus? I guess i'll get some and just scan them in my VM so my main system doesnt get slow. – None – 2010-02-14T14:12:51.283

1

How do i check if a program can potentially be a virus?

If you don't have any resident protection software installed, there are other methods to scan files, e.g. with A-squared's excellent Command Line Scanner, which is free (for personal use) and portable.

Also, many download sources do provide checksum or hash sum information so the integrity of a file can be verified.

Molly7244

Posted 2010-02-14T09:33:34.243

Reputation:

Asked: 2010-02-14T09:33:34.243

Viewed: 1 281 times

Active: 2010-03-18T12:05:01.700