Show Posts
1
UCheck / Re: Software Request
« on: December 26, 2020, 05:20:18 AM »
I am new here and am getting ready to evaluate Aldice Diag Technician and am looking around on these blogs and I see that you ("Kevin") have made requests to include certain programs in what I believe he means to be a white-list. I wonder how you the global moderator goes about honoring these requests because I happen to disagree with some of your suggestions. For example, CPUID, used by many apps is considered by "some" experts to be problematic in certain undisclosed ways which I won't disclose why here. It's my opinion. These types of services/drivers are used by many applications that display temperatures and other sensor information however I have reasons not to trust them.
And certainly anything from iobit in my opinion. Thoroughly Google and research it. I don't care if AOL resells it and I don't care if Virustotal says it shows up 0 out of 70. I have compelling reasons to advise against it here. It's MY OPINION AND MY OPINION ONLY. However, if i see it whitelisted here with Aldice Diag I would lose some respect for it. I think Kevin might need to bring along his own whitelist by configuring exceptions for the folders where these things live if he thinks they are safe. As the documentation here states, this is ill-advised.
Kevin, I am happy to mentor you with my personal opinions off-line. There are many executables that people think are safe that you will never find in a corporate environment and I believe I just named a couple. Tools like MSI Afterburner are developed by people who are not necessarily security literate so it's not expected they understand the consequences of integrating with certain 3rd party cpu sensor drivers/services. They just throw something together to make gamers happy and gamers don't care if their systems are compromised because they have little of value (documents, etc.) and are in the mode of factory resets and bios re-flashes to start all over many times.
Something like TreeSize Free by jam-software is more difficult because it is so irresistibly useful and popular. That means bad guys will be trying to infiltrate it and modify the source code to force a release that has 100% undetectable malware, like the Solarwinds DLL. I would only suggest it be run in a sandbox or some other approach be taken -- or just accept the risk and manage it because you know you are heading towards a complete system reset anyway so use it to collect information. If Aldice Diag Tech does a very good job with statically analyzing like Reverselabs.com does, then we would know if TreeSize Free was infiltrated in that something suspicious would show up in it. But it's not clear yet, to me, how Diag Technician constructs it's database of YARA rules. They might have a joint relationship with MalwareBytes who I am sure does a very good job with YARA rules (rules to detect patterns of suspicious or bad properties in an .EXE/.DLL etc.) but noone knows how complete it is compared to CrowdStrike (hybrid-analysis), VirusTotal, etc.
Even Aldice Diag Technician is interesting risk management. We trust the developers to take precautions to guard their source code but their is no formal policy stating how they do it so infiltration is possible and hopefully we would know about it if it happened. It also used 3rd party open source libraries (JANSSON, OpenSSL, LibSSH2, LibCURL, LibYara, LibZip) and it is well known and well understood that bad guys know how to blend in to 3rd party library open source and inject changes which are approved and disguise their malware/backdoors, etc. Again, at some point it comes down to risk management and what is acceptable risk.
Just my own opinion. I will say this: I have been studying the Aldice site for a few days and I am very impressed with its transparency and am hoping it becomes a tool I can add to my DFIR process to see what it can tell me. I will be throwing it against previously infected systems I cleaned up to see what, if anything, I missed in it's opinion :- ). I expect it will be a very good and certainly affordable addition to my process however questions remain.
Harry
And certainly anything from iobit in my opinion. Thoroughly Google and research it. I don't care if AOL resells it and I don't care if Virustotal says it shows up 0 out of 70. I have compelling reasons to advise against it here. It's MY OPINION AND MY OPINION ONLY. However, if i see it whitelisted here with Aldice Diag I would lose some respect for it. I think Kevin might need to bring along his own whitelist by configuring exceptions for the folders where these things live if he thinks they are safe. As the documentation here states, this is ill-advised.
Kevin, I am happy to mentor you with my personal opinions off-line. There are many executables that people think are safe that you will never find in a corporate environment and I believe I just named a couple. Tools like MSI Afterburner are developed by people who are not necessarily security literate so it's not expected they understand the consequences of integrating with certain 3rd party cpu sensor drivers/services. They just throw something together to make gamers happy and gamers don't care if their systems are compromised because they have little of value (documents, etc.) and are in the mode of factory resets and bios re-flashes to start all over many times.
Something like TreeSize Free by jam-software is more difficult because it is so irresistibly useful and popular. That means bad guys will be trying to infiltrate it and modify the source code to force a release that has 100% undetectable malware, like the Solarwinds DLL. I would only suggest it be run in a sandbox or some other approach be taken -- or just accept the risk and manage it because you know you are heading towards a complete system reset anyway so use it to collect information. If Aldice Diag Tech does a very good job with statically analyzing like Reverselabs.com does, then we would know if TreeSize Free was infiltrated in that something suspicious would show up in it. But it's not clear yet, to me, how Diag Technician constructs it's database of YARA rules. They might have a joint relationship with MalwareBytes who I am sure does a very good job with YARA rules (rules to detect patterns of suspicious or bad properties in an .EXE/.DLL etc.) but noone knows how complete it is compared to CrowdStrike (hybrid-analysis), VirusTotal, etc.
Even Aldice Diag Technician is interesting risk management. We trust the developers to take precautions to guard their source code but their is no formal policy stating how they do it so infiltration is possible and hopefully we would know about it if it happened. It also used 3rd party open source libraries (JANSSON, OpenSSL, LibSSH2, LibCURL, LibYara, LibZip) and it is well known and well understood that bad guys know how to blend in to 3rd party library open source and inject changes which are approved and disguise their malware/backdoors, etc. Again, at some point it comes down to risk management and what is acceptable risk.
Just my own opinion. I will say this: I have been studying the Aldice site for a few days and I am very impressed with its transparency and am hoping it becomes a tool I can add to my DFIR process to see what it can tell me. I will be throwing it against previously infected systems I cleaned up to see what, if anything, I missed in it's opinion :- ). I expect it will be a very good and certainly affordable addition to my process however questions remain.
Harry
