Mini-guide - Using freeware securely

Share interesting information or links related to portable apps here.
Post Reply
Message
Author
User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Mini-guide - Using freeware securely

#1 Post by webfork »

In an attempt to address concerns around using freeware without fear, this post has cataloged some best practices around using software from the Internet. While TPFC makes an effort to find and maintain stable and secure tools, we are a site made up of volunteers and cannot hope to catch every issue.

This post is a work in progress.

Recommendations
(Wear a helmet when you download)

1. Download from good sources

Whenever possible you want to download software from reputable sites that try to maintain a database of tested and verified software. Getting software direct from the developer or download hosting services like Softpedia and Snapfiles is generally safe.

However, it is possible to get software from anyone or anywhere with a test via the VirusTotal service ...


2. Check VirusTotal

Almost every program on the internet has some kind of reputation on VirusTotal (aka VT). The service represents a meta-score for applications by various anti-virus companies. A perfect score is 0/?, where ? is the current number of virus engines, (currently 70 at this writing).

Question: What if the file size is very large? I don't want to upload that entire file.

To save time and bandwidth, you can get a "hash" or file fingerprint using a program like 7zip and use the Search tab to view the file reputation:


Screenshot: 7zip right-click menu
Image

SHA-256 Value
Image

Pasted SHA-256 into VirusTotal Search tab


Question: How do I evaluate the score? What if it's not 0/70?

There are a variety of reasons that the program can be perfectly safe but not have a perfect score (for example: Ultimate++ has a score of 1/70). Generally speaking, newer applications will have either a poor or unclear reputation because they haven't been through the kind of intense scrutiny that older software has achieved.

Some programs never escape this status fully just because anti-virus companies behind this analysis are in the business of keeping out unknowns and ongoing, deep software analysis is expensive and time-consuming.

Question: What if the program has no reputation at all ("No Matches Found")

If you you don't know the author, you should either wait to see if it develops a reputation (maybe you were one of the first people to download the program) or just delete it.


3. Block Internet access

If you have a program on your computer that doesn't need Internet access, it's more secure to block access entirely. For example, a calculator program doesn't require Internet while Firefox does. Two programs:
  • SimpleWall - a firewall application that can be configured to prompt the user to allow or block all new connections.
  • Firewall App Blocker (FAB) - a easy manager for Windows' own firewall that lets you block multiple applications at once. NOTE: make sure to block software on both inbound and outbound tabs.

4. Launch with reduced permissions

In the same folder as the program you wish to run, create a text file and save the following text, replacing programname.exe with the executable name (e.g. vlc.exe) (thanks lautrepay)

runas /trustlevel:0x20000 "programname.exe"

In testing, this function will sometimes not actually launch the program. If this fails, it doesn't mean there's necessarily a security problem, just that the program requires standard / admin level permissions to function.

5. Maintain anti-virus software

For reasons that are unclear even within the software community, the best anti-virus options change every year. We recommend researching current reviews, but Windows default "Defender" option has historically been an effective deterrent.

---

Other options

* Run the program inside a sandbox

The term "sandbox" comes from a variety of real-world tests that use real sand as a buffer. In software, it's just a virtual separation between the computer -- when a program misbehaves, the operating system just ignores the request.

Windows comes with it's own simple and easy to use sandbox program in Windows 10, but the excellent and mature freeware Sandboxie Plus is also available. Many commercial sandbox tools are also available that include more controls.

While it's possible to run problematic or insecure software in these environments, good security is made up of more than one shield, so it's recommended that the steps above are followed and the sandbox treated as yet another barrier.


* Run the program inside of a virtual machine

There are dozens of programs and tools, but a great free option is VirtualBox with snapshots feature enabled. This can allow reversal of the system to an earlier state after using a program. More on VirtualBox.


Questions

What if an application is signed? Does it mean it's safe?

Signatures just mean you can verify where a source originated from, not whether or not the program is safe or will do exactly what you expect (e.g. adware, spyware, etc.). You can read more about software signatures and verification in this ghacks article.


What if I get it from Windows Store?

Although Windows Store software does go through some level of analysis before posting, we don't recommend Windows Store for multiple reasons, mostly the fact that it hurts open source developers.


Related

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Mini-guide - Using freeware securely

#2 Post by webfork »

As mentioned in #3 above "block internet connections," this is something that came up recently with the log4js vulnerability issue.

This vulnerability affects programs going back 10+ years. As such, I'd encourage anyone using Java programs to update to the latest version of a program and -- if one is not available -- to block network connections by that software. The word from people in the know here is that just updating to the latest version of Java may not be enough.

Although I don't have insights on whether or not they're vulnerable, I still use DocFetcher muCommander, and XMind (almost everything on our Java category list) several other programs.

I like FAB for handling this.

Related threads

User avatar
Albert90
Posts: 20
Joined: Mon Dec 06, 2021 11:54 am

Re: Mini-guide - Using freeware securely

#3 Post by Albert90 »

Great guide! As someone new to the world of freeware, I definitely did not know about VirusTotal. That's super useful!

User avatar
webfork
Posts: 10818
Joined: Wed Apr 11, 2007 8:06 pm
Location: US, Texas
Contact:

Re: Mini-guide - Using freeware securely

#4 Post by webfork »

Albert90 wrote: Wed Dec 15, 2021 6:06 am Great guide! As someone new to the world of freeware, I definitely did not know about VirusTotal. That's super useful!
Thanks -- we've had a lot of back-and-forth over the years about how to tackle the broader issues in security, especially around false positives. We're very lucky the VirusTotal database is available.

Post Reply