Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

is it safe to test a file in virtual OS


  • Please log in to reply
4 replies to this topic

#1 seraphin

seraphin

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 31 December 2014 - 12:03 AM

Is it possible to test whether an executable file is safe by opening/running the file under a virtual OS ?

Microsoft visualization technology seems to allow a virtual Windows OS to run under another Windows OS (I am currently running a Win7). I would like to open an .exe but have no idea how it may wrack my Win7 so am thinking of running it under a virtual OS to "test" the file.

Is it feasible? Any risk ???? any sharing will be greatly appreciated.

 

 



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:08:37 AM

Posted 31 December 2014 - 03:36 AM

Is it possible to test whether an executable file is safe by opening/running the file under a virtual OS ?
Microsoft visualization technology seems to allow a virtual Windows OS to run under another Windows OS (I am currently running a Win7). I would like to open an .exe but have no idea how it may wrack my Win7 so am thinking of running it under a virtual OS to "test" the file.
Is it feasible? Any risk ???? any sharing will be greatly appreciated.


It is possible, but be careful.

If you need a virtual environment, you can use Oracle VMware VirtualBox.

#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,845 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:37 PM

Posted 31 December 2014 - 04:44 AM

Hi seraphin

 

I have no opinion on if it's safe to run or not.

 

First thing I would do is scan the file at virustotal. Scan

Maybe you can share the result with us.



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 AM

Posted 31 December 2014 - 06:13 AM

No.

 

It is possible to test if an executable is unsafe in a virtual OS, but it is not possible to test if an executable is safe in a virtual OS.

 

There reason is that there is a lot of malware that detects that it is running in a virtual OS, and then it will change its behavior: it will not behave maliciously. But when you run it on a real OS, it will behave maliciously.

 

So if you run a file in a virtual OS and you don't see anything weird, that does not mean it is safe.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 seraphin

seraphin
  • Topic Starter

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 31 December 2014 - 08:31 AM

Virustool reports it to be safe (detection ratio 0/56, evil scale - neutral). Below is the detailed info of the file

 

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Developer metadata
Copyright
Setup Engine Copyright © 2001 - 2004 Indigo Rose Corporation
Product Setup Factory 6.0 Runtime
Original name setup.exe
Internal name suf60_setup
File version 6.0.1.4
Description Setup Application
Comments Created with Setup Factory 6.0
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2004-02-11 22:10:02
Link date 11:10 PM 2/11/2004
Entry Point 0x00002919
Number of sections 4
PE sections
Name Virtual address Virtual size Raw size Entropy MD5
.text 4096 19973 20480 6.54 7709ecf86bb7a19a1dbcb72909249625
.rdata 24576 3468 4096 4.76 333a9a0f3878ae1dd7859bb725d33448
.data 28672 16064 16384 1.89 b7636277a3c8b838492a43f7889f77e5
.rsrc 45056 38552 40960 2.85 b0440ace515c59fbdd1695aa44f9c9d6
PE imports Number of PE resources by type
RT_BITMAP 1
RT_STRING 1
RT_VERSION 1
RT_GROUP_ICON 1
RT_ICON 1
Number of PE resources by language
ENGLISH US 5
ExifTool file metadata
CodeSize
20480
SubsystemVersion
4.0
Comments
Created with Setup Factory 6.0
LinkerVersion
6.0
ImageVersion
0.0
FileSubtype
0
FileVersionNumber
6.0.1.4
LanguageCode
English (U.S.)
FileFlagsMask
0x003f
FileDescription
Setup Application
CharacterSet
Windows, Latin1
InitializedDataSize
61440
FileOS
Windows NT 32-bit
MIMEType
application/octet-stream
LegalCopyright
Setup Engine Copyright 2001 - 2004 Indigo Rose Corporation
FileVersion
6.0.1.4
TimeStamp
2004:02:11 23:10:02+01:00
FileType
Win32 EXE
PEType
PE32
InternalName
suf60_setup
FileAccessDate
2014:12:31 05:35:22+01:00
ProductVersion
6.0.1.4
UninitializedDataSize
0
OSVersion
4.0
FileCreateDate
2014:12:31 05:35:22+01:00
OriginalFilename
setup.exe
Subsystem
Windows GUI
MachineType
Intel 386 or later, and compatibles
LegalTrademarks
Setup Factory is a trademark of Indigo Rose Corporation.
ProductName
Setup Factory 6.0 Runtime
ProductVersionNumber
6.0.1.4
EntryPoint
0x2919
ObjectFileType
Executable application
 
File identification
MD5 ae981bce1f7bced9a5c81f2223a32c62
SHA1 208304ab4f87de65e68b8e22a79ae54236b6e026
SHA256 61c14052fed36aee15ae2e16b84e3632ca27b9ecfee540b71074a55bf8bcb51f
ssdeep
196608:+VN6oXoBdALj5+4kzaSxYs6+PlUb7o41f+gNi2a:+VN6Na5+RaSxYsrmXo8f3Nra
authentihash b3ba3e064f8f77a1574f8e22a1ff6635ae053802b396337edd3df674cd1e31f1
imphash b59ba52c650904098282ea913d2b8d01
File size 7.9 MB ( 8274261 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID Win32 Executable MS Visual C++ (generic) (67.3%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe
VirusTotal metadata
First submission 2014-12-31 04:11:25 UTC ( 38 minutes ago )
Last submission 2014-12-31 04:33:08 UTC ( 16 minutes ago )
File names setup.exe
suf60_setup
Mosbys Review Questions for the NBCE Examination Parts One and Two (2006) [Mosby].exe
file-7864861_exe
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/doc/pua.html .





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users