ScriptBrowser

Problem

Software components sometimes need to interact with higher privilege parts of the operating system, often requiring administrative access to accomplish a task. Operating systems integrate first and third-party security solutions that can detect and block malicious code. For that reason, attackers often aim to tamper with system security software. Changing antivirus and other security software service settings may enable malicious code to execute without being blocked. While the presence of code that tampers with system security software does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that can temporarily disable system security features. One example of acceptable use for such functions is allowing specialized applications to modify protected folders and settings.

Problem

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are commonly abused by malicious software with the intent to cause harm. When a software package shares behavior traits with malicious software, it may become flagged by security solutions. Any detection from security solutions can cause friction for the end-users during software deployment. While the behavior is likely intended by the developer, there is a small chance this detection is true positive, and an early indication of a software supply chain attack.

Problem

Operating systems provide multiple integration points for applications to insert themselves in the system startup sequence. Startup sequence is executed in its entirety each time the computer system powers on. For that reason, attackers typically try to register their malicious code in the system startup sequence. When malicious code is registered to start with the operating system, it achieves persistence, as it becomes permanently installed. While the presence of code that modifies the system startup sequence does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only applications that require constant background operation should consider installing themselves as a part of the startup sequence. One exemption to this recommendation would include running the application after the first system reboot to complete the software installation.

Problem

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. The integrity validation relies on the cryptographic strength of the encryption and the hash verification algorithm. If either of the two is considered weak by current standards, there is a chance the signed object could be maliciously modified, without triggering the integrity failure check.