Q&A What do you do with an unknown publisher?

mkoundo

Level 7
Thread author
Verified
Well-known
Jul 21, 2017
306
OK, so you'd like to try out a new program and SmartScreen gives you a warning that the publisher is unknown.

What steps do you take to minimise risk of infection or do you simply not run this program?

1636531008414.png
 

The_King

Level 12
Verified
Top poster
Well-known
Aug 2, 2020
565
Also look at the date the app was released. Its advisable not to run programs you dont trust for at least 7 days or more from the published date.
I think the reason behind this is so that sites like VT should have been updated by then if these files are 0 day malware etc
 

Freki123

Level 11
Verified
Top poster
Aug 10, 2013
518
I'd rather wait a few days and I wouldn't run it in sandboxie on my productive system (and I really like sandboxie).
I lack the knowledge to make sure that only because in sandboxie there is no "I encrypted U" message doesn't mean it safe...
 

struppigel

Moderator
Verified
Staff member
Well-known
Apr 9, 2020
534
These are very good suggestions here. These automatic sandbox systems like any.run and hybrid-analysis are only useful if you can interpret them, though. I wouldn't take their overall results for granted. They are more to be understood as hints that a file might be interesting to be analysed, e.g., by a malware analyst.

VirusTotal is a bit easier. Check the detection rate as well as the first submission date in the Details tab on VirusTotal. The first submission date cannot be faked. Make sure it is a few weeks old. If it isn't, wait until it is.
If you have a few detections on the file, you can send it to AV vendors so they may check it.

You can also post the VirusTotal link here for us to check it.
 

Moonhorse

Level 33
Verified
Top poster
Content Creator
Well-known
May 29, 2018
2,208
If the file has no signature on it , re-check download site you got the file from

Then i drop the file on virustotal as mentioned above, and rate it as legit so if i do re-install i can see my own 'signature' on vt

It has happened for me like two times in past years , with my new mouse drivers , ( xtrfy m4 ) and with the lmt antimalware wich has signature nowadays though
 

LASER_oneXM

Level 37
Verified
Top poster
Well-known
Feb 4, 2016
2,520
Thre is also an usefull tool, that makes it easier to upload (mutiple) files at once to VirusTotal. I've been using it some years ago...

Winja Virus Total uploader from Phrozensoft (wilderssecurity.com)


Also available at majorgeeks.com:

homepage/download at www.phrozen.io
 

plat

Level 27
Verified
Top poster
Well-known
Sep 13, 2018
1,686
Sometimes, I use the Jotti portable scanner for unknown .exe. This is handy if you don't want to open a browser. There are some interesting possibilities here: Falcon Sandbox, Winja, etc.

I recall when I ran VoodooShield some years ago, there was Cuckoo Sandbox. Anyone ever try that one? Last updated 2019, though and it seems a little heavy-duty. I wonder why @danb discontinued it, or did he (in VS)?

jotti scanner.png
 

LASER_oneXM

Level 37
Verified
Top poster
Well-known
Feb 4, 2016
2,520
here you can find several links to malware/rescue/(online-) scanners resources:

___EDIT___

this also might be interesting:
 
Last edited:

Nevi

Level 9
Verified
Well-known
Apr 7, 2016
436
No matter what I download from the internet, whether smartscreen have reacted red flag or not, I scan with Hitman Pro. It's a habit I have got through the years. It has shown to be a good habit. But the VT app The King have, look like an even better solution.
 
Last edited:

LASER_oneXM

Level 37
Verified
Top poster
Well-known
Feb 4, 2016
2,520
^^ AFAIK the VT Uploader (post #08) has been abandoned by 'virustotal.com' years ago:

source: https://support.virustotal.com/hc/en-us/articles/115002179065-Desktop-Apps
Windows Uploader ( Not maintained)

DISCONTINUED SUPPORT For Windows uploader:

As of 2017 we are discontinuing any updates to the official windows uploader(Please see the VirusTotalUploader for an alternative, 3rd party open source uploader)

It's a simple Microsoft Windows Desktop application that makes the interaction with VirusTotal as easy as a right-click. No technical background is required. Download the App here and get started straight away.

Sending files to VirusTotal

With the VirusTotal Uploader this task is easy. After you have downloaded and installed the uploader, just right-click on the file you wish to upload and select the VirusTotal option from the Send To context menu:


mceclip0.png



You may also run the VirusTotal Uploader (by clicking on its desktop shortcut icon, for example) and click on the Select file(s) and upload button:


vtuploader-use-2.png


I've been using this tool too on oll my systems. 'virustotal.com' is also officially offering links to 3rd party tools/uploaders:

 

The_King

Level 12
Verified
Top poster
Well-known
Aug 2, 2020
565
^^ AFAIK the VT Uploader (post #08) has been abandoned by 'virustotal.com' years ago:
Oh you are not wrong. But that is because they want you to pay for Api requests after a limit in the new tool. ;)
I have had old version installed it works flawlessy for years as well. It doesnt require any official support from them to work or an APi key.

You just right click and send to VT and thats it. There is no security issue from using the old tool.

I was also fully aware that it was abandoned yet it still works. Has I use it reguarly(y)
API.jpg

The official supported version needs an APi Key to work. The old version does not.
 
Last edited:

LASER_oneXM

Level 37
Verified
Top poster
Well-known
Feb 4, 2016
2,520
^^...i've been using it too... ...but after the end of support i immediately dropped this tool and 'replaced' it by the 3rd party uploader 'WinJa'.
i dropped the VT uploader years ago because of possibly bugs... ...and yes, also because of possibly security risks.
...im always trying to run the latest version/release of a software product.


You can also use the official browser plug-ins to directly scan/send files and links to 'virustotal.com' from within Firefox/Chrome/IE:

source: https://support.virustotal.com/hc/en-us/articles/115002700745-Browser-Extensions
Browser Extensions

Imagine you log into your Gmail account and find a suspicious email from your bank. The email informs you about an unauthorized access to your account and asks you to follow a link and provide your credentials to view the account access log. Wouldn't it be great if you could simply right-click on the link and check it against VirusTotal in order to understand whether it is legit or report a phishing site? Wouldn't it be great if you could do this just with that right-click, without having to navigate to VirusTotal and refer to the URL tab? This is what VirusTotal's browser extensions allow you to do.


source: VT4Browsers – Get this Extension for 🦊 Firefox (en-US)

VT4Browsers by VirusTotal Team

Experimental
Scan your downloads with VirusTotal before storing them, free and easy. More information at: https://support.virustotal.com/hc/en-us/articles/115002700745-Browser-Extensions. Contribute your domain name resolutions to the security community.