Author Topic: Software Request  (Read 853 times)

0 Members and 1 Guest are viewing this topic.

October 09, 2020, 01:38:56 pm

Kevin Wakefield

  • Newbie

  • Offline
  • *

  • 3
  • Reputation:
    0
    • View Profile
« Last Edit: October 12, 2020, 05:48:03 am by Kevin Wakefield »

Reply #1October 09, 2020, 01:51:59 pm

Reply #2October 09, 2020, 04:40:08 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2547
  • Reputation:
    91
    • View Profile
Re: Software Request
« Reply #2 on: October 09, 2020, 04:40:08 pm »
Hi,

Welcome to Adlice.com Forum and thanks for supporting our product.
Thanks for your suggestions. We will review these software and get back to you as soon as possible.

Regards.

Reply #3November 13, 2020, 09:47:31 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2547
  • Reputation:
    91
    • View Profile
Re: Software Request
« Reply #3 on: November 13, 2020, 09:47:31 pm »
Hi Kevin,

Sorry for the delay.

CPUID HWMonitor,  TreeSize Free, OBS Studio, OneDrive, AutoIt and 1Password are now supported.
It was not possible to add the others you requested because there was either no changelog available or it wasn't possible to install them without user interaction.

Regards.

Reply #4December 26, 2020, 05:20:18 am

hstein

  • Newbie

  • Offline
  • *

  • 1
  • Reputation:
    0
    • View Profile
Re: Software Request
« Reply #4 on: December 26, 2020, 05:20:18 am »
I am new here and am getting ready to evaluate Aldice Diag Technician and am looking around on these blogs and I see that you ("Kevin") have made requests to include certain programs in what I believe he means to be a white-list.  I wonder how you the global moderator goes about honoring these requests because I happen to disagree with some of your suggestions.  For example, CPUID, used by many apps is considered by "some" experts to be problematic in certain undisclosed ways which I won't disclose why here.  It's my opinion.  These types of services/drivers are used by many applications that display temperatures and other sensor information however I have reasons not to trust them.

And certainly anything from iobit in my opinion. Thoroughly Google and research it.  I don't care if AOL resells it and I don't care if Virustotal says it shows up 0 out of 70.  I have  compelling reasons to advise against it here.   It's MY OPINION AND MY OPINION ONLY.  However, if i see it whitelisted here with Aldice Diag I would lose some respect for it.  I think Kevin might need to bring along his own whitelist by configuring exceptions for the folders where these things live if he thinks they are safe.  As the documentation here states, this is ill-advised.

Kevin,  I am happy to mentor you with my personal opinions off-line.  There are many executables that people think are safe that you will never find in a corporate environment and I believe I just named a couple.  Tools like MSI Afterburner are developed by people who are not necessarily security literate so it's not expected they understand the consequences of integrating with certain 3rd party cpu sensor drivers/services.  They just throw something together to make gamers happy and gamers don't care if their systems are compromised because they have little of value (documents, etc.) and are in the mode of factory resets and bios re-flashes to start all over many times.

Something like TreeSize Free by jam-software is more difficult because it is so irresistibly useful and popular.  That means bad guys will be trying to infiltrate it and modify the source code to force a release that has 100% undetectable malware, like the Solarwinds DLL.  I would only suggest it be run in a sandbox or some other approach be taken -- or just accept the risk and manage it because you know you are heading towards a complete system reset anyway so use it to collect information.  If Aldice Diag Tech does a very good job with statically analyzing like Reverselabs.com does, then we would know if TreeSize Free was infiltrated in that something suspicious would show up in it.  But it's not clear yet, to me, how Diag Technician constructs it's database of YARA rules.  They might have a joint relationship with MalwareBytes who I am sure does a very good job with YARA rules (rules to detect patterns of suspicious or bad properties in an .EXE/.DLL etc.) but noone knows how complete it is compared to CrowdStrike (hybrid-analysis), VirusTotal, etc.

Even Aldice Diag Technician is interesting risk management.  We trust the developers to take precautions to guard their source code but their is no formal policy stating how they do it so infiltration is possible and hopefully we would know about it if it happened.  It also used 3rd party open source libraries (JANSSON, OpenSSL, LibSSH2, LibCURL, LibYara, LibZip) and it is well known and well understood that bad guys know how to blend in to 3rd party library open source and inject changes which are approved and disguise their malware/backdoors, etc.  Again, at some point it comes down to risk management and what is acceptable risk.

Just my own opinion.  I will say this: I have been studying the Aldice site for a few days and I am very impressed with its transparency and am hoping it becomes a tool I can add to my DFIR process to see what it can tell me.  I will be throwing it against previously infected systems I cleaned up to see what, if anything, I missed in it's opinion :- ).  I expect it will be a very good and certainly affordable addition to my process however questions remain.

Harry
« Last Edit: December 26, 2020, 05:37:26 pm by hstein »

Reply #5December 28, 2020, 03:56:06 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2547
  • Reputation:
    91
    • View Profile
Re: Software Request
« Reply #5 on: December 28, 2020, 03:56:06 pm »
Hi Harry,

Thanks for your feedback.
Let my answer your questions point-by-point.
Quote
I am new here and am getting ready to evaluate Aldice Diag Technician and am looking around on these blogs and I see that you ("Kevin") have made requests to include certain programs in what I believe he means to be a white-list
It was not a whitelist request, it was a request to include them in Adlice UCheck database so then can be updated automatically.
For more information, see UCheck: Software list.

Quote
For example, CPUID, used by many apps is considered by "some" experts to be problematic in certain undisclosed ways which I won't disclose why here.
You probably thing about the CVE-2017-15302 vulnerability, present in older version. If we exclude all software that had thich sort of vulnerability in the past (exploitable kernel-mode driver), that's many. However, please keep in mind that such mean of exploitation is restricted since Windows 10 1803.
Additionally, we plan to add detection of documented vulnerable driver in RogueKiller in the future.

Quote
And certainly anything from iobit in my opinion.
This is our team opinion, too. No product from Iobit will be included in UCheck.

Quote
That means bad guys will be trying to infiltrate it and modify the source code to force a release that has 100% undetectable malware, like the Solarwinds DL
Yes, this is indeed a possibility.
That's why we encourage software developpers to publish their products along with their respective hashes (GPG signing would be the best, but most users do not know how to use it).

Quote
But it's not clear yet, to me, how Diag Technician constructs it's database of YARA rules.
YARA rules will not help here, since we can assume that the malware writer took care to make it blend with the regular PE. However, Diag will probably detect it using its heuristic layers (usually MalPE).

Quote
They might have a joint relationship with MalwareBytes who I am sure does a very good job with YARA rules (rules to detect patterns of suspicious or bad properties in an .EXE/.DLL etc.) but noone knows how complete it is compared to CrowdStrike (hybrid-analysis), VirusTotal, etc.
Adlice products and MalwareBytes products do not share the same source code at all. They are completely different products.
Suspicious pattern are detected using the MalPE module (heuristic using AI).

Quote
We trust the developers to take precautions to guard their source code but their is no formal policy stating how they do it so infiltration is possible and hopefully we would know about it if it happened
.Access to our source code requires 2FA tokens and since we are a small team, any change not make by us will be obvious (git).

Quote
It also used 3rd party open source libraries (JANSSON, OpenSSL, LibSSH2, LibCURL, LibYara, LibZip) and it is well known and well understood that bad guys know how to blend in to 3rd party library open source and inject changes which are approved and disguise their malware/backdoors, etc.  Again, at some point it comes down to risk management and what is acceptable risk.
When pulling from their repos, we conduct basic code analysis as we cannot review all changes. As you said, it all comes down to what is acceptable risk.

Quote
Just my own opinion.  I will say this: I have been studying the Aldice site for a few days and I am very impressed with its transparency and am hoping it becomes a tool I can add to my DFIR process to see what it can tell me.  I will be throwing it against previously infected systems I cleaned up to see what, if anything, I missed in it's opinion :- ).  I expect it will be a very good and certainly affordable addition to my process however questions remain.
Again, thanks for your feedback.
If you have any questions left, please don't hesiatate to open a new thead.

Regards.