I have used Rufus today to create a bootable Windows 10 USB drive. However, a program that creates logs on my PC showed two other programs were also executed about 15 seconds after Rufus started: vds.exe (which makes sense, since it's something related to virtual disk) and RAServer.exe.
The last one worried me a bit, because it's a file related to remote connections. Was it really Rufus doing this? If so, why does it use this executable?
Rufus dev here.
First of all, please make sure you only ever download Rufus from the official website (https://rufus.ie) or the GitHub repo, since, as with everything, the popularity of the application has resulted in folks creating malicious versions, that they then try to trick people to download as if it was an official one. Note that all our releases are digitally signed, with credentials stating Akeo Consulting as the signer.
Second, if you look at our very public source code, you will see tons of mentions of VDS which is Microsoft's Virtual Disk Service and which indeed, in some weird Microsoft logic, seems to translates to a vds.exe executable being instantiated and running some commands, instead of just invoking APIs that would/should really be integrated directly into the OS like one would expect (so that for one thing, it doesn't confuse or scare users as to why some executable they've probably never heard of is suddenly being launched by the OS for no apparent reason).
However, we're certainly not doing anything with RAS. And this is a claim you can actually validate for yourself (provided you can read C source code) since recent versions of Rufus are built in such a way that, if you did download an official version, then it's impossible for us to hide something in the executable that isn't also present in the very public source (On account of this feature), and, unless you believe that we somehow managed to obfuscate RAS calls in a source that is seeing some scrutiny due to being the source of a popular application, then if you spend time checking our code, you should come to the conclusion that, as opposed to what's the case for VDS, there is absolutely no invocation of anything related to RAS being performed by Rufus.
Unfortunately, that still does not mean that the OS itself may not start RAS, possibly as a byproduct of some of the API calls Rufus makes, because Microsoft made Windows a very weird beast and you'd be surprised at the amount of innocuous Windows API calls (such as temporarily editing a Local Group Policy, so that users aren't bothered by unwanted "Do you want to format this drive" system popups while using Rufus) that result in the OS triggering behaviour that doesn't look innocuous at all... However, I am not aware of anything that would relate to RAS so far, and I can assure you that the official Rufus application is certainly not issuing any intentional calls to start RAServer.exe.
But again, the nice thing is that, if you're familiar enough with Windows software development, you don't have to take my word for it: You can simply validate this for yourself from our public source since, again, because we are producing tamper-proof executables using a 100% public build process, it contains exactly all of the code that is ever included in the official application, no more, no less.
Oh, and you may also want to read the other points we make on our Security Page, since it is designed to give you, the user, some assurance that you can trust the official releases of Rufus to never do anything malicious behind your back...
RAServer.exefor malicious remote access (through the Remote Assistance feature, where the user screen would be shared with a malicious participant), so, unless the fact that it's a COM server makes it unsuitable for that purpose (though that's not what I see online aboutRAServer.exe), I would think we can generally still talk about Remote Access, even if it's really Remote Assistance. – Akeo Jan 08 '22 at 11:04