In my current Windows Tip Sheet column on the popular freeware program nLite, reader Tim from Michigan makes an excellent observation:
ManageEngine ADManager Plus - Download Free Trial
Exclusive offer on ADManager Plus for US and UK regions. Claim now!
Have used both nLite and vLite and agree both are excellent tools and have real value. My concern however is what else is the program doing? The program is free and having built multiple iso files with custom configurations it appears to do exactly what it says it's doing. But what's it doing behind the scenes that I don't see? Is it installing rootkits, backdoors or other exploits that will make my production network vulnerable for future attacks? I haven't found any issues, but how can I be sure? If I can't be sure how can I justify using it in a production environment? Don't get me wrong, I still use the program, I just use the iso files in my test environment and on virtual machines that won't go into the production environment. I'd love to have the question addressed and some assurance that nothing else is being done.
I whole-heartedly agree. Tim is practicing exactly what I would initially recommend which is to test anything and everything in a non-production environment. This should apply not only to freeware products like nLite but Microsoft products as well. Malware aside how do you know the latest gee-whiz reputable vendor solution won't break something? But that goes beyond Tim's point.
Let's talk about nLite. How can we be sure it really isn't doing anything under the hood? Well first, I think this particular product has an established track record with a large install base. You would think that any problems would have surfaced by now. I'm not aware of any with nLite. By the way, let me be clear that I'm only using nLite as an example for the sake of discussion. As far as I can tell it is an excellent piece of software.
But let's assume there might be more to the story. In that case I might look to tools like FileMon and RegMon from Sysinternals to monitor the install process. I'd certainly make sure I have up to date antivirus and antispyware products installed from reputable vendors. I might run the free rootkit detector, also from Sysinternals. There are others as well.
I might also consider using an application packager, like Wininstall LE because it's free, and see what changes the app makes to my system.
What steps do you take to ensure something you are installing is safe?
Hi Jeff,
just found your blog and really like it 🙂
For me I love DTAP process (Development\Test\Acceptance\Production) and I try to apply it everywhere…
For monitoring, I love SystemSherlock with GUI overview of changes (http://msmvps.com/blogs/martinzugec/archive/2008/05/26/systemsherlockgui-one-package-that-rules-them-all.aspx), sometimes I run it side-by-side with ProcMon.
Martin