Security

Minimize risk when downloading from the Internet

Getting malware installed on a computer is easy enough without doing it intentionally. Learn one approach that will reduce the risk when downloading from the Internet.

Several members asked me if there was any way to minimize risk when downloading unknown programs from the Internet, particularly programs that were associated with malware removal.

It's no big secret that these types of programs are written by people who understand malware explicitly. It's also well known that malware scanners imbed themselves deeply in the operating system. So, one tends to get a bit creeped out in having to trust these particular developers and their products? The good news is that there are simple precautions that will help minimize the risk. Here's what I do.

Check out the word on the street

I check the Internet buzz (not going to say the G-word) about the product in question. For example, I trust CNET's Download.com to give a good, detailed review of the application. Download.com also publishes editor/user ratings and the number of current downloads for each program, which are all good indicators of the program's worth.

Still, I must admit that I look at reviews very conservatively. In my world, the review for Malwarebytes' Anti-Malware (MBAM) only tells me:

  1. A reviewer tried the application and it didn't negatively affect anything, otherwise it wouldn't be available for download (something about site reputation).
  2. According to the description, there's a chance that the application may fill my need.

If the initial Internet investigation is positive, I'm ready to give the application a try. I first set up as many safeguards as I can to prevent problems, especially being able to fall back to a known good set point on the computer I'm using.

Sandbox to be safe

To accomplish this I use an application by Ronen Tzur called Sandboxie. It's sole purpose is to isolate applications and prevent any leakage from the sandbox to the main operating system. For more information, you can refer to Tom Olzak's well-written article "Use Free Sandboxing Software to Isolate Risky Behavior."

After installing Sandboxie, I start a Web browser (Firefox in my case) in a Sandboxie container. I then go to the appropriate Web site and proceed to download the program I want. Once the program is downloaded, I install the program while still in the protected confines of the Sandboxie container. I then analyze the program's behavior, trying to see if the program or the operating system are acting abnormally in any way.

If I'm comfortable with the application's behavior, I close Sandboxie and actually install the program on the computer. You may ask why not just run the program in Sandboxie? With many applications, that's entirely possible. In this case we're concerned with malware removal programs such as MBAM, and it's been my experience that malware scanners don't work well sandboxed.

Final thoughts

That's the process I use to download and test unfamiliar programs, especially malware scanners. It sounds like a bunch of extra work, but I would argue that it's significantly less work than having to rebuild a computer that didn't react well to a program load.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

24 comments
jeremial-21966916363912016372987921703527
jeremial-21966916363912016372987921703527

I have a slighty different approach to sandboxing that works wonders for me. It cost me some in a second AV license, and a little time, but it has paid back in spades: I installed Sun's VirtualBox, an opensource Virtual Machine which I believe is getting very close to being on par with VMWare (especially with the latest update that just came out). I created a virtual machine(s) running the same as my host OS(es) and create a base image of nothing more than the OS and all necessary updates. I then delete all temp files, ensure only the applications I want are loaded on startup under MSCONFIG, defrag the virtual HDD, install the AV of my choice, and run a full system scan. Once this is complete, I take a snapshot of the machine in its current state (once the snapshot is taken, as a personal preference, I zip up the Virtual Machine files and copy them off to a different location). Once the snapshot process is complete, I then am free to browse the Internet and download as I need. When downloading, I always install and run on the machine for several days, running AV scans at different intervals, to measure any adverse impact on my system. Then, if I am confident in the download, and it is something I feel I need on the Host machine, I transfer the downloaded executable. If I run into an issue with the download, or from visiting any site, all I need to do is shut the machine off, and revert to snapshot. 30 seconds later I am back on and ready to go. I also do a lot of home-user setups, and if people are particularly worried about viruses and malware (as so many are with all the news coverage lately), I follow the same procedure. I then merely set a local policy on the machine to launch the application as soon as they log in, create a single shared folder to the physical hard drive, and set the machine to revert to snapshot every time they shut it down. I like VirtualBox because I can actually disable the Internet on the Host, but still have it enabled on the VM, leaving a smaller attack front. Thus far, I have had great success with this technique, both personally and will customers.

WoW > Work
WoW > Work

With a name like mine, who'da thunk it I'd be asking about gaming. But, here's a real thought. Perhaps, would a software like this work for things that use SecuROM? Perhaps if I used Spore, or Crysis in a sandbox environment...would that be possible? *crosses fingers*

jdcox61
jdcox61

Do you have any suggestions for something like sandboxie to use with Vista64? Sandboxie isn't compatible with 64 due to the PatchGuard Vista uses for it's kernel on 64bit machines? I'm paranoid about my new system since i've actually had a machine crash due to this in the past. Thanks

Chaz Chance#
Chaz Chance#

...is a viable sandbox alternative. You let rouge s/w loose to do its worst, including interactions with other progs, without it ever harming anything you care about. But I like to use a firewall to see what programs are talking to the internet. I am constantly surprised which programs find a need to communicate without telling/asking me. They seem to work just as well after being blocked.

rwbyshe
rwbyshe

Does Sandboxie evaluate and/or work with the Microsoft updates to XP and/or Vista??? Problem: Quadraplegic friend who uses Magic Cursor and Screen Door software. Everything worked well until a recent update of Vista. Now the two programs no longer work in concert and the software manufacturer has recognized the problem but has not determined why the problem has arisen.

seanferd
seanferd

Malware-infected WinRAR distributed through Google AdWords

StealthWiFi
StealthWiFi

Thanks for the tip on SandBoxie - I absolutly love the program. Had been looking for something similar for a while now!

seanferd
seanferd

If possible, check the original author's or vendor's site to get a feel for the program's source, even if you find the download at a trusted download site. This might also give you a better idea of what the program features are, what kind of help you might expect with it, and whether or not it is really a free, fully functional, local-install program, etc., or whatever you are expecting in that department.

Michael Kassner
Michael Kassner

But another OS license and other ancillary licenses are required to be legal. Also you have to decide up front how much RAM to allow and the computer has to be pretty healthy as well. Sandboxie does the exact same thing without the heavy-duty requirements. I've been working with the developer of Sandboxie and what he has been able to accomplish is really exciting. For example, you don't have to ever let a suspect application out of the sandbox, how cool is that.

Michael Kassner
Michael Kassner

I know precious little about the gaming side of IT. I'd suggest asking those questions on the Sandboxie forum. There are very knowledgeable members there and Ronen is around as well. http://www.sandboxie.com/phpbb/

Michael Kassner
Michael Kassner

That Comodo firewall may have some similar attributes. That's not for sure, still it's one of the few applications that work with 64 bit.

Michael Kassner
Michael Kassner

Sandboxie isn't VM so it doesn't require allocating memory or additional operating system software.

Michael Kassner
Michael Kassner

Here is Ronen's response: "I'm not sure how to make the connection between the problem and the question. But if the commenter is asking if Sandboxie can be used to "test drive" updates to Windows before comitting to them, then the answer is probably not. First, updating Windows is a complicated task that may or may not work in the isolated sandbox. But even if it did, then it would not be really updating Windows, it would only be dropping some update files in the sandbox. To put it into more concrete terms, say there is an update to a Windows service. Those service-related files are updated in the sandbox, but the real service operating outside the sandbox is completely unaffected by that."

Michael Kassner
Michael Kassner

I can't answer that, but I'll check with the developer.

Michael Kassner
Michael Kassner

Two things: Is that our Balthor commenting on the Danco piece? Interesting article, I read all of his work. He really keeps on top of this sort of stuff. The Download.com web site was mimicking and old one, but I bet it still fooled people.

Michael Kassner
Michael Kassner

I pretty much run my browsers in Sandboxie at all times now. It's nice to be able to recoup from a mistake that easily.

Michael Kassner
Michael Kassner

Any application can affect a computer in a detrimental way. Simply because of all the variables that come into play.

robo_dev
robo_dev

It seems that mostly Linux stuff does this, but the MD5 checksum will tell you if code has been tampered with.

Michael Kassner
Michael Kassner

I get concerned simply because the information on a vendor's site is not verified. I may be over the top in my concern, but I've been to sites that looked and sounded great. Only to have been misled by the application the site offered.

rwbyshe
rwbyshe

It simply made sense to me that Sandboxie wouldn't be able to "test drive" the Vista updates even before I posed the question but it was worth asking in respect to the problem I'm encountering. The engineer at Mandentec told me that because of the various issues/problems with Vista and the ongoing updates, that Vista has really given their customers major problems. I'm going to see if I can use nLite in an attempt to install XP on this HP laptop. According to Mandentec, even with updates, etc. XP gives them no headaches. Michael thank you so much for your effort on this one and please extend my thanks to Ronen also.

Michael Kassner
Michael Kassner

That all TPV applications had the checksum. It's not that difficult to do. Still, you have to trust the developer, which gets me back to my paradox. I've a friend that's as anal as I am about this. Especially since he deliberately looks for malicious sites that offer downloads that have malware onboard. He then reverse engineers the malcode to figure out what's going on.

linux for me
linux for me

If the malware is part of the application and the checksum is then generated, there is no way to know if the download is infected or not. The only real guarantee the checksum presents is that the file was downloaded correctly.

seanferd
seanferd

It is just one more place to check. I find it easier to trust software from a site that has a lot of information, a long history, blogs, etc. For instance, the first time I ever came across grc.com. Of course, nothing is foolproof, and there are plenty of young people making handy little apps, but have no previous exposure. I've also seen perfectly legitimate programs slammed by some people in forums as being some sort of malware or poorly written. It can be a tot crapshoot, but I've never been bitten by something I've chosen to download. This, of course, does not mean it will never happen, and I keep that in mind. :)

Editor's Picks