Software Assessment 1.2

File Changes, what constitutes a high risk file change. If you have been following along 1 & 1.1, what we have is a list of file changes. This is a list of all modified, deleted, and added files from installing a piece of software. As before we obtained this list from running InstallWatch.

First lets look at some guidance from the source itself - Microsoft. The logo program from Microsoft is a a certification that basically says that the software follows good programing guidelines and is compatible with the microsoft windows operating system. This document is the specifications for XP logo program (If you are looking for the Vista one its here). These are the requirements from the logo document that apply:

2.1 Do not attempt to replace files that are protected by Windows File Protection (.sys, .dll,.exe, .ocx os files)
2.3 Do Not overwrite non-proprietary files with older versions
2.5 Install to Program Files by default
3.1 Default to the correct location for storing user-created data
3.2 Classify and store application data correctly

From these requirements, two general rules can be developed:

- All files written to the Program Files folder are considered okay
- Review the files written everywhere else

Just by using these two general rules will reduce our list down from couple hundred to only having to review about 10 - 20 changes. Again I use excel to filter down the results.

Basically the excel sheet logs all folders under program files where file changes are made, by doing this we can review our list quickly to ensure the program is not writing to another program's folder.

The second list created (usually a short list ~10-20) is all the files and paths that are modified, created, or deleted outside of the program files folder. Especially focus on changes made to the Windows directory (windows, system32, ..), for this I use google to look up the .dll and .ocx files that are installed, in order to determine what function they are providing. I have come across software that installs hundreds of files to the system32 folder, I then go back to the people requesting the software and ask then to find something else as this software does not following good programming practices and is a risk to the secure system.

You should have anti-virus software on your computer, the anti-virus should alert you if any of the installed files are known to be malicious. Remember the point of this exercise is not to determine if the software is malicious, but to get a general idea of how the software operates and if changes the security of our secure system. We are trying to perform a quick risk assessment of a piece of software to our secure system.

A book that talks about this subject is Professional Windows Desktop and Server Hardening by Roger A. Grimes - This book talks about malicious files, the following website, with downloadable files, one file to look at is the MasterTable file.

Another test that should be performed, is to see if the software can be run as a limited user under windows xp. Log into the computer as limited user, and run the program to see if it runs without errors. If a program cannot run without administrator privileges, consider this as a risk to the system - to have a secure system all users on the network should be logging in as a standard user.