Hi Harry,
Thanks for your feedback.
Let my answer your questions point-by-point.
I am new here and am getting ready to evaluate Aldice Diag Technician and am looking around on these blogs and I see that you ("Kevin") have made requests to include certain programs in what I believe he means to be a white-list
It was not a whitelist request, it was a request to include them in Adlice UCheck database so then can be updated automatically.
For more information, see
UCheck: Software list.
For example, CPUID, used by many apps is considered by "some" experts to be problematic in certain undisclosed ways which I won't disclose why here.
You probably thing about the CVE-2017-15302 vulnerability, present in older version. If we exclude all software that had thich sort of vulnerability in the past (exploitable kernel-mode driver), that's many. However, please keep in mind that such mean of exploitation is restricted since Windows 10 1803.
Additionally, we plan to add detection of documented vulnerable driver in RogueKiller in the future.
And certainly anything from iobit in my opinion.
This is our team opinion, too. No product from Iobit will be included in UCheck.
That means bad guys will be trying to infiltrate it and modify the source code to force a release that has 100% undetectable malware, like the Solarwinds DL
Yes, this is indeed a possibility.
That's why we encourage software developpers to publish their products along with their respective hashes (GPG signing would be the best, but most users do not know how to use it).
But it's not clear yet, to me, how Diag Technician constructs it's database of YARA rules.
YARA rules will not help here, since we can assume that the malware writer took care to make it blend with the regular PE. However, Diag will probably detect it using its heuristic layers (usually MalPE).
They might have a joint relationship with MalwareBytes who I am sure does a very good job with YARA rules (rules to detect patterns of suspicious or bad properties in an .EXE/.DLL etc.) but noone knows how complete it is compared to CrowdStrike (hybrid-analysis), VirusTotal, etc.
Adlice products and MalwareBytes products do not share the same source code at all. They are completely different products.
Suspicious pattern are detected using the MalPE module (heuristic using AI).
We trust the developers to take precautions to guard their source code but their is no formal policy stating how they do it so infiltration is possible and hopefully we would know about it if it happened
.Access to our source code requires 2FA tokens and since we are a small team, any change not make by us will be obvious (git).
It also used 3rd party open source libraries (JANSSON, OpenSSL, LibSSH2, LibCURL, LibYara, LibZip) and it is well known and well understood that bad guys know how to blend in to 3rd party library open source and inject changes which are approved and disguise their malware/backdoors, etc. Again, at some point it comes down to risk management and what is acceptable risk.
When pulling from their repos, we conduct basic code analysis as we cannot review all changes. As you said, it all comes down to what is acceptable risk.
Just my own opinion. I will say this: I have been studying the Aldice site for a few days and I am very impressed with its transparency and am hoping it becomes a tool I can add to my DFIR process to see what it can tell me. I will be throwing it against previously infected systems I cleaned up to see what, if anything, I missed in it's opinion :- ). I expect it will be a very good and certainly affordable addition to my process however questions remain.
Again, thanks for your feedback.
If you have any questions left, please don't hesiatate to open a new thead.
Regards.
Topic: Software Request (Read 4513 times)
