Home » Questions » Computers [ Ask a new question ]

How do I check if a program can potentially be a virus?

How do I check if a program can potentially be a virus?

I am running Windows XP in a VM. I want to download a few applications and install the one by one and check if they potentially can be a virus. I assume virus would need to add something to the startup folder, or the application in the startup section in the registry or add a service. What else might it do to become active?

Asked by: Guest | Views: 223
Total answers/comments: 2
bert [Entry]

"It's not easy to deal with suspicious files, the first thing to advise it's to rather use an alternative secure source.

However if you want to test the file in a VM, here are some good tools:

All-In-One System Explorer:

Inspect system: process, startup, services, ...

or Sysinternals Autoruns, ProcessExplorer, Process Monitor

Check files with Virus Total, Virus Jotti and it's own database

or Virus Total Uploader

Create snapshots to compare before/after disk and registry changes

or SpyMe Tools, WhatChanged

Other usefull tools:

Antivirus: according the latest av-comparatives pro-active (heuristic) tests, Microsoft Security Essentials (freeware) and Kaspersky (payware) are the best picks (Avira have a high detection rate too but also have a high false-alarm rate)
HIPS (Host-based Intrusion Prevention System): ThreatFire (or WinPatrol, MJ Registry Watcher)
Firewall: Comodo (or Online Armor)
Network connections inspectors: CurrPorts (or TCPView)
Rootkit scanner: Gmer (or RootkitRevealer less powerfull, but easyer to use)
Online, behaviour analysis: Anubis (or CWSandlox, ThreatExpert, Norman Sandbox)
File checksums (google the most commons: MD5, SHA-1): HashCalc
Svchost analyzer

But finally, the only way to be sure is to disassemble the software and understand the asm code, a very fastidious task. So return to the first advice..."
bert [Entry]

"Post-detection is not really useful; a virus is likely to mess with your system immediately and you don't want to get to that point of having a rampant problem (excessively duplicating processes, stripped icons on .exe files, repeated system errors with no apparant reason, busy internet connection ....)

The best security is prevention: avoid untrustworthy sources such as public peer-2-peer, free download hosts (rapidshare, etc.), direct blog links and e-mail attachments. Although some software search sites are legit, some are definitely not - if you find something interesting, seek the author's website and download from there instead!

Try a sandbox software to run the application without the ability to do unwanted changes. A test VM with no write access to your main drives remains a reliable way to test something without having to mess with rights - you can really let it in the wild.

Finally, a good old virus/spyware scan never hurts..."