1

I'm considering use of a scanner driver I see on a website. I don't know the site or the owner so I'll be paranoid and assume that this Windows 10 exe is malicious. I can run the code in a throwaway VM. What I'd really like to know if there's code in the driver that might try to access my network. Monitoring the network while running the driver code is not good enough. That code might be benign for some period of time and then become malicious. So, I'm wondering if there is some tool that can read (disassemble) Windows 10 exe code and identify any code that tries to access the network.

Sol
  • 113
  • 3
  • 2
    Given the fact that it's a scanner, chances are large that it's gonna contain legitimate functions connecting to the network. (Like Network FTP or WebDav Scanning, WSUS, UPNP,...).

    It's best to get your drivers from the vendors. Chances are if you're installing an unsigned driver on a 64Bit windows, that SecureBoot is going to block it by default anyways...

     – Nomad Aug 17 '18 at 13:56
  • The vendor doesn't support Windows 10. It's either buy a new expensive scanner (this is not a cheap home scanner) or consider an unknown driver. – Sol Aug 17 '18 at 14:01
  • My 2 cents, get a new scanner. If you install rootkits by accident it's gonna cost you a lot more than a new scanner. – Nomad Aug 17 '18 at 14:08

1 Answers1

2

You could always setup a firewall rule. Open Windows Firewall, and select ADVANCED SETTINGS Right-click on OUTBOUND RULE, select NEW RULE. Select PROGRAM enter the pull path the exe under THIS PROGRAM PATH BLOCK THE CONNECTION Apply to All 3 connection profiles (domain, private, public) And give it a name... done!

KryptykHermit
  • 56
  • 1