If you have to run infected/fishy windows app, how do you do it ?

[BravoV]

Just curious how do you run a "suspicious" Windows program in Windows OS, even you suspect its false positive by virus scanner ? But you need to run it, say even using non admin user privilege.

I'm not talking about pirated programs here, but official programs supplied by the equipment's manufacturers, say like the latest Dave's video on Riden RD6006 PSU that he skipped the supplied Windows program as it didn't passed virus scanners, or other example like the popular MiniPro TL866 Universal Programmer that is also questionable, even its downloaded from legit source and many other examples.

Understand that the safest path is having a fully air gaped PC, aka separate sacrificial physical machine that is solely for running these dirty programs, with disposable OS installation that can be refreshed from whole boot drive image restoration, but this is not always affordable for everybody, including me as I'm running out of working space at the bench.

While currently my practice is running inside virtualization, I'm on Win7 with VMWare with various disposable OSes like DOS,XP and 7s, but with the latest hacks recently (HERE), that the hacker can easily breach out into host OS starting to worry me.

Appreciate if you can share your current setup and workflow regarding this situation.

[AndyC_772]

Submitting any suspect code to VirusTotal isn't a bad start. Just because one virus scanner flags up a warning doesn't mean there's anything wrong with the code at all, and it would be a mistake to think of it as 'dodgy' because of a false positive.

[Mechatrommer]

You dont need a complete sacrificial pc for this, just a $20 ssd with its own OS inside will do the job stuck inside your main pc. Just switch sata cable or set in bios for boot drive. disable working drive and important data. But it will be pointless anyway if you dont know what to look about virus behaviour, or if you dont have enough 'soft' sensors to trigger malicious behaviour.

Av usually will trigger if later an allowed app creates another process/exe in another dir, or possibly terminate it if av recognizes it.

As on my side, i built an app to log every files in drives before running unknown app and then later look for what have been added and removed to decide if the app is behaving or not. Or simply... just run it.. if it destroys your system/os, just restore from your external backup, so it means you must made backup beforehand or occasionally so is advisable.

[RoGeorge]

Ideally, on a completely isolated machine.

If that is not possible, install VirtualBox or VMware Player, then create a virtual machine with a clean Windows install.  Don't forget to isolate the virtual machine before installing on it the suspected software.

[BravoV]

You dont need a complete sacrificial pc for this, just a $20 ssd with its own OS inside will do the job stuck inside your main pc. Just switch sata cable or set in bios for boot drive. disable working drive and important data. But it will be pointless anyway if you dont know what to look about virus behaviour, or if you dont have enough 'soft' sensors to trigger malicious behaviour.

Just don't want to juggle around cables or anything physical, its just cumbersome and also error prone, as you only need one mistake hooking up the dirty viral drive on boot up while forgetting to unplug/detach the main boot drive or any other clean drives.

[BravoV]

If that is not possible, install VirtualBox or VMware Player, then create a virtual machine with a clean Windows install.  Don't forget to isolate the virtual machine before installing on it the suspected software.

VMware already hacked, read my 1st post, there is a link, the client now can hack and pass thru the host OS.

Even VirtualBox is not publicly known can be hacked, with that new situation, I guess its just matter of time.

[Halcyon]

Run it in a VM. Once done, blow that VM away. It's simple, effective, and there are a bunch of free Type 1 and Type 2 hypervisors out there.

Keep them properly patched and the chances of a security risk are extremely remote, particularly if you have proper SIEM and monitoring in place.

[BravoV]

Run it in a VM. Once done, blow that VM away. It's simple, effective, and there are a bunch of free Type 1 and Type 2 hypervisors out there.

Guess we will have to live with that currently.

[AndyC_772]

I don't see how that solves the real problem, though.

Either:

a) the software you need to use really IS infected with malware - in which case I agree, you won't want it anywhere near your 'real' PC, and a VM may be your only option if the supplier of the equipment is so utterly careless that they refuse to clean up their code and provide software that's safe to use.

b) the software it perfectly OK, but a virus scanner flags up a false positive. This is quite innocent and common, and not an issue at all unless the virus scanner you happen to choose to use keeps trying to quarantine it. It's not a problem with the software itself, and there's no reason you should fear putting it on your main PC.

The challenge is to identify which situation you're in, and act accordingly.

[Nominal Animal]

I'll have someone else run it on their machine.

(I don't have Windows, and avoid even using Wine.)

[Halcyon]

I don't see how that solves the real problem, though.

Either:

a) the software you need to use really IS infected with malware - in which case I agree, you won't want it anywhere near your 'real' PC, and a VM may be your only option if the supplier of the equipment is so utterly careless that they refuse to clean up their code and provide software that's safe to use.

b) the software it perfectly OK, but a virus scanner flags up a false positive. This is quite innocent and common, and not an issue at all unless the virus scanner you happen to choose to use keeps trying to quarantine it. It's not a problem with the software itself, and there's no reason you should fear putting it on your main PC.

The challenge is to identify which situation you're in, and act accordingly.

I can think of a few times where I have needed to spin up a temporary machine at home to run questionable software.

Firstly, key generators (yes, those one from serials.ws and alike). If I need to generate a key or two I'll run the .EXE in an isolated VM and copy the keys into a text file for future use.

Secondly, questionable software which does a task I need it to do, but it also full of malware, adware etc... Youtube and other streaming video downloaders are common example. I use them to download the video I want, then scrap the OS when I'm done with it.

[james_s]

I use a VM for anything like that, when I'm done I can roll it back to the former state.

Yes there are a few hacks out there for VMs but it's quite rare, it's extremely unlikely that you'd ever just download some piece of software that would do that. If you are paranoid, run the Windows VM under a Linux host.

[NiHaoMike]

Secondly, questionable software which does a task I need it to do, but it also full of malware, adware etc... Youtube and other streaming video downloaders are common example. I use them to download the video I want, then scrap the OS when I'm done with it.

I just use youtube-dl for that.

I remember that Micah Elizabeth Scott, who used to work at VMware, is always paranoid about allowing untrusted software to access graphics acceleration (e.g. through the graphics acceleration feature of a VM, or WebGL) since it's incredibly complex and pretty much guaranteed to have security flaws. So do not enable graphics acceleration for the VM if you don't need it.

[Halcyon]

Secondly, questionable software which does a task I need it to do, but it also full of malware, adware etc... Youtube and other streaming video downloaders are common example. I use them to download the video I want, then scrap the OS when I'm done with it.

I just use youtube-dl for that.

Yeah I find it a little touch-and-go sometimes. Sometimes it just doesn't work.

[LeonR]

I use a VMware Workstation VM with a "clean"(all Windows updates and the basic stuff I use) snapshot. Whenever I want to test something weird I just disable shared features (network, clipboard, etc). After I do whatever I need to I just discard the current VM state, rolling back to the snapshot.

No random software will have a specially crafted payload that can pierce thru everything. And if someone wants to specifically infect you, they will do it, no matter how hard your security is.

[Nominal Animal]

I agree with LeonR above.

One cannot assume their tools work perfectly and not infected with malware.  We use backups to guard against tool failure, and various software to detect infections and malware.

Having a slower backup computer, say an old laptop, with say $30 SSD (120GB) and 4GB or more of RAM, to run a virtual machine you can roll back after experimentation, is just about perfect -- especially if you wipe the host OS every now and then; say, instead of upgrading the host OS, you wipe and install the new version from scratch.

For a single person having such a machine is probably overkill; accepting the small risk of malware burrowing through the supervisor from the VM to the host makes more sense.  However, if you happen to have one, with a valid Windows license, and you tell your friends and colleagues you have it for such purposes, and are happy to lend it (especially if one were to buy a cup of coffee or something as a thank-you), having such a tool starts to make sense.

Like I said, I don't have one, and I usually avoid even using Wine, but if I had the need, I do believe I have friends who have such machines, and might be willing to run the software for me.

[PA0PBZ]

Just to add this to the discussion: Although it is not an option in the program VMWare Player can be made non-persistent by modifying the .vmx file by adding the following: scsi0:0.mode = "independent-nonpersistent" assuming scsi0:0 is your drive.

[edavid]

There is also the now freeware program Sandboxie, which is intended for exactly this.  I guess the main difference from using a VM is that you don't have to install and secure a guest OS.

https://www.sandboxie.com/

https://en.wikipedia.org/wiki/Sandboxie

[Red Squirrel]

A separate PC running as a VM server is probably your best bet. The VM is optional, but having a separate air gapped network running VMs will let you test more stuff if you want, like see if it tries to infect another machine over the (separate, private) network etc.

If you make sure to use a fully updated VM hypervisor you're probably safe from VM escape exploits though, but if you want to be extra safe then a separate air gapped PC is best.