How would you programmatically test a file for viruses? [closed] - windows

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I want to programmatically test a file for viruses.
I'm aware of this thread, which didn't get a satisfactory answer in my opinion, but I'm not looking for an API here. Any kind of workaround to make it possible to test a file would be fine.
Of course, an API would probably be the best solution (I'm using .net on a Windows platform), but maybe it's possible to drop the file in the folder, and to then check whether I can still open it or if it's been quarantined by the antivirus software.
Has someone run into the same sort of situation?

Assuming you wish to integrate with whatever antivirus is already present on the system rather than bundling your own, you should check out the way Firefox 3 does this.
Bugs 103487
and 408153
- Inform anti-virus software when Firefox downloads an executable (using
the Windows "IOfficeAntiVirus" and
"IAttachmentExecute" APIs).
(of course if you wish to bundle your own, check out ClamAV/ClamWin, but then you must deal with updates, etc, and you should probably first check there is not a fully updated solution on the target system for politeness)

Windows? No problem. Check out ClamWin. It is based on ClamAV.

Platform?
Most Windows anti-virus provide shell integration (right click on a file in explorer to scan that file), which will either mean running an executable, DDE or COM. All of which provide an entry point to another program to call the same mechanism.

Check out ClamAV.
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.

Maybe you could use this web service, assuming the file is less than 1MB:
http://www.kaspersky.com/scanforvirus
If you discover a suspicious file on
your machine, or suspect that a
program you downloaded from the
Internet might be malicious, you can
check the files here.
Indicate the file to be checked; it
will automatically be uploaded from
your computer to a dedicated server,
where it will be scanned using
Kaspersky Anti-Virus. Multiple
independent tests and publications
acknowledge the solution to have
exceptional detection rates. Updates
every three hours ensure that even the
very newest viruses can be detected.
Only one file of up to 1 MB can be
checked at any one time. If the file
is too large, a window with an error
message will be displayed. Type the
name of the file in the window at the
top of this page, or find the file
using 'Browse'. Then click on
'Submit'.

You can use a Debugger or a Disassembler

It really depends on which AV program you're going to use. Read the documentation for whatever solution you choose and you'll probably find a command-line interface or some other API you can call. There's no "generic" way of doing this (across AVs).

Related

How to detect unnecessary Windows\Installer file [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
i have search a lot to find out How to detect unnecessary Windows\Installer file !
I am sure lot of you have faced this issue previously and solve it somehow.
Now when i look at my ---
C:\Windows\Installer
directory on Windows Server 2008 R2 i can see it took already 42 GB out if total 126 GB.
Now what i would like to know can i just delete all the files from that Installer directory or i have to detect which file can be removed !
Do anyone knows any solution for this issue !
How do you define unnecessary?
Specialized system case: You want the minimum footprint and are willing to sacrifice functionality that you don't expect to use.
If all is well, each the files in C:\Windows\Installer are a local cache of an installed Windows Installer package, patch, transform, etc. They are necessary for uninstallation, auto-repair or on-demand installation to succeed. If you will never need any of those things on these machines (i.e. if you are bringing them up on demand as VMs, and would rebuild them rather than uninstall something), then unless the app itself invokes Windows Installer APIs itself, it may be relatively safe to remove files from C:\Windows\Installer. In addition, you could call the Windows Installer API MsiSourceListEnum to find other caches of files that are used for these same purposes. It may be similarly safe (or unsafe) to remove those files.
More usual case: You'd rather not rebuild the system
If you suspect there are unreferenced files in that folder left over from prior upgrades or uninstallations, you can try to use Windows Intstaller API calls to verify this. At a very low level, you can call MsiEnumProducts (or possibly MsiEnumProductsEx) to find the product codes of all installed products, and MsiGetProductInfo/Ex(szProduct, INSTALLPROPERTY_LOCALPACKAGE, ...) to find its cached .msi file and INSTALLPROPERTY_TRANSFORMS for a list of its transforms. Then MsiEnumPatches/Ex to find all patch codes and MsiGetPatchInfo/Ex (again with INSTALLPROPERTY_LOCALPACKAGE and/or INSTALLPROPERTY_TRANSFORMS) to list the .msp and .mst files it references. In theory, the full set of all files referenced here should match up with the full set of files in C:\Windows\Installer. (Or there are more references to look for...)
(Before you write anything to do this, consider that there are probably apps out there that automate this, or are even smarter about it, such as the one referenced in another answer.)
You could not delete them all.
There is a good answer about your problem, I test in my lab. It works for me.
Notes: If possible, you had better copy this folder to anther disk (such as E:)

How does Firefox Version 3 invoke the anti-virus feature on Windows to scan a download?

Another question on StackOverflow is asking how this is done, but the general question of how Firefox manages this is even more useful, and would answer that question also.
Without reading all the source code to firefox (I haven't time) - is anyone familiar enough with Firefox V3's ability to invoke a scan on any downloaded EXE file to know how it works?
I would think any anti-virus program with active protection would hook into windows and be run automatically. Does firefox detect these hooks and bring them up by creating a windows folder and moving the file after it is downloaded from a temporary filename, to a new file name with .exe in the name, thus triggering the automatic protection? Or do they do something else?
(This is a programming question in that I want to know how to write this in general, and this would answer the above question, but also be a good piece of knowledge to add to the knowledgebase-that-is-stackoverflow.)
Also, any programmatic SDKs and APIs that commercial anti-virus programs provide for end-user application integration, I would like to know about. Especially MS Forefront, MS Security Essentials, Norton, or any other major players.
OESIS from opswat appears to provide this as a commercial SDK/application, which is a surprise when it probably should be a Windows API, given that what we're doing here is in the public good of all humans who have to use windows.] - actually it is - it is built into the windows shell. See the first link in this question for more resources.
I did a quick search through the Mozilla code base and found these source files:
./toolkit/components/downloads/src/nsDownloadScanner.cpp
./toolkit/components/downloads/src/nsDownloadScanner.h
A comment close to the top may have your answer:
Download scanner attempts to make use
of one of two different virus scanning
interfaces available on Windows -
IOfficeAntiVirus (Windows 95/NT 4 and
IE 5) and IAttachmentExecute (XPSP2
and up). The latter interface
supports calling IOfficeAntiVirus
internally, while also adding support
for XPSP2+ ADS forks which define
security related prompting on
downloaded content.

What tool can I use to extract resources from a VB6 application? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
One of my clients has an application that was written for them using VB6. They no longer have the original resources that were given to the developer. The developer has disappeared off the face of the earth. My challenge is to extract the resources from the executable and rebuild the application, adding new material to it.
I've tried using Resource Hacker, but that only finds the icon. The exe is over 26MB, I can't see that the only resource embedded is the icon.
Edit: I do not to retrieve the source code from this. Decompiling is not the objective. I merely want the embedded media resources so that I can utilise them in the application which I am rewriting from scratch. Please do not confuse the word "resources" with "source code".
Is there a way to extract just the resources?
A vanilla VB6 exe has 'Icon', 'Icon Group' & 'Version Info' resources that should be visible in resource hacker, as should any resources added via the VB6 resource tool or VS's RC.EXE.
Its a fat EXE so perhaps the author packed it? There are utilities that will try to determince what packer (if any) was used.
I think you meant to get the source code back from exe file (compiled with VB6). It's almost impossible if the program is compiled in native code, but it's easier if the program is compiled in P-Code. You can try VB Decompiler and find a reverse-engineer to manually convert some of the readable Assembly code to VB6 code. But, i suggest you just find the source code of the program from the programmer, it's cheaper than decompiling.
Try vbreformer. It will recover parts of the sourcecode along with events hooked to buttons and so fourth, and from native code. I know you don't want this, but it's part of the more complete application. It will recover the vb6 menu resources too. It's limited, but it's more than you'll get with a normal resource editor. There is also a trial version available.
http://strategoxt.org/Transform/VisualBasicDecompilers
Take a look at the tools from the above link and see if any of them are able to extract enough for you.
hth
Perhaps they are the only windows
resources the application has.
Visual Studio has a resource
editor(I've checked VS2008.net, and
it has one)
You might want to try a
different resource editor
http://www.wilsonc.demon.co.uk/d10resourceeditor.htm

Where does an application store "I'm deactivated" on Windows? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Applications often have registration keys.
It can arguably be placed in a file or in the registry.
Sometimes, an application is deactivated by entry of another key,
or the passing of a date, etc. Where can one safely
store such information about an application be deactivated?
A file isn't the answer; a backup copy can be restored to
defeat this. The registry is a weak answer, only because
most people don't know its there, and don't think to restore it,
and if they do they restore the whole thing which usually
has other discouraging side effects.
It seems to me that storing deactivation information is
hopelessly unsafe, as old copies can always be restored.
At best one can hide this data by obfuscation under
cryptically named files or registry keys.
Is there a standard trick I don't know, or a standard
scheme supported by Windows, that helps with this problem?
Round 2: I've seen a number of answers. None of them
specifically say "you can't do this" but several imply
that phoning home is the only good choice (for "deactivation").
Let's assume phoning home and dongles are NOT the answer,
and one has to leave something on the machine. What do
typical licensing schemes actually do in this case?
In contrast to the IPhone and other closed environments on an open platform like windows/linux you always run a very high risk that the protection is easily circumventable (local serial protection) or will be cracked by reversing and patching your code. Virtually every modern single player game has this problem. Additionally it is very hard to find a solution that does not annoy the user too much. We all remember the Sony-CD-Rootkit disaster and in the game industry its the always the newest DVD-protection that doesn't work on all drives the way its supposed to. But what can you do? You can try the usual serial, call-home option and ban certain serials in newer updates (Adobe, FlashFXP, Windows). If you have a very low consumer base, this probably is enough for you. If - for whatever reason - that is not an option, what about an USB-Dongle that is needed to use your software. Heard of quite some CAD-programs using this. One last thing you can look into, what about watermarking your application? If it shows up on certain p2p networks you will maybe be able to see where the leak is. Basically nothing will give you a 100% guarantee, but there are options to make it more difficult for the average user... Please keep in mind that most of your money should be spend on creating a great product not in buying mostly useless protection!
Create and sign a license file on a server. If you use public key cryptography, the license file can't be faked easily. Your application can be of course cracked to not need the license, but that's a different thing.
Here is a short but pretty good overview of different options.
http://www.developer-resource.com/how-to-protect-software.htm
Ya,you could encrypt things,that's what they do!.Check the net for various licensing schemes.Even microsoft has one...Microsoft Software Licensing and Protection
You can use the Microsoft Cryptographic API to develop you code.Plus obscure you assemblies or dlls.Force user activation.
All protection schemes are vulnerable to some type of attack. Encryption of information does help prevent attacks because the information is stored in an obfuscated way, but even this isn't unbreakable.
Another possible option is to store the actual activation state information remotely and leave a reference to this information on the machine, possibly encrypted. There are many ways to do this but one that comes to mind is to store a GUID of some kind that you could then look up in your database
One downfall of this is the requirement of an internet connection, I don't know if that is prohibitive or not but the general idea is to remove the activation state from a machine you don't control and put it on one that you do

Suggestions for porting linux application to windows [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I'd like to port an application written under linux to windows. Currently I'm using Cygwin but I'm curious if there are any other options that don't force me to release my source since I'm not in the position to do so right now. Are there any other options short of having to completely re-write it or buying a license?
MinGW doesn't have as many licensing restrictions as Cygwin, but it might require more effort to get your code to run under it.
Please give us more information about your application. Simple commandline utility? Uses KDE libraries? Uses linux kernel extensions? etc etc. For internal use only? For use on corporate desktops? For use by end-users? These all will change our suggestions.
I'll also suggest using MinGW.
The basic process of porting:
Install MinGW and MSYS
Run your Makefile.
Likely you'll get an error, fix it (either by changing code or by commenting it out)
Recompile via Makefile.
Repeat 2-4 until you compile with no errors.
Then test your application, and track down any bugs you might have introduced.
I am by no means an expert. Saying that, if you're not going to release your application, I believe you can use it with GPL'd stuff internally. It is only when you started distributing your binaries that you are bound by the GPL to release your source along with the binary, or by user request. E.g. a company could modify some GPL'd source code, and use it internally so long as they don't distribute the code or application outside of the company.
So it depends on what you plan to do with your app.
You might be able to use cygwin for now just to get it to a working point, and then gradually replace pieces of the app with native windows code until you've completely de-cygwin'd it.
I know that's probably not what you're looking form, but I thought I'd throw that out there. They should have a couple law/licensing classes shoved into CS degrees these days.
There is also a commercial license for Cygwin.
http://www.redhat.com/services/custom/cygwin/

Resources