5

My question is a bit complicated; I'm trying to evaluate if Selenium is contains malware. I know a lot of people on SO use it and I'm not too worried about it, but I work for a conservative Asian company and right now they're pretty strict about installing new software for fear of viruses. So really the question is, how do I prove it's safe/convince them that it is? My boss is pretty excited about me using this to improve my efficiency, but idk that his bosses will see the potential risk as worth it.

xxxRxxx
  • 153
  • 5
  • 1
    Rephrase your question. What are you trying to achieve? What is your definition of "safe". Selenium webdriver itself is an open source project. It is maintain by group of developer and google also contribute some code. HOWEVER, if you load selenium and go to UNKNOWN website that contains malverstisement, it is NOT safe. And it is NOT selenium fault. – mootmoot Aug 19 '16 at 14:13
  • My usage of Selenium would be copying URLs from a US government site that contains links to other websites, paste those URLs into the search field on owler.com, clicking on the first search result, and then copying various metrics (such as revenue, # of employees) from the company's profile and pasting those into an excel document. This intended for use with Excel-VBA. But the technicalities are barely relevant to convincing management, I'm looking for answers from people who have faced restrictive IT politicies before and gotten past that. – xxxRxxx Aug 19 '16 at 14:16
  • Am I right if I interpret your question to be "How do I figure out if a piece of software contains malware?" That is a much more limited question than figuring out if something is "safe. – Anders Aug 19 '16 at 14:20
  • 1
    Yes, I'm just going to change the title since your phrasing is less ambiguous. I am aware that web automation contains the possibility of visiting sites that serve malware, and that's not my current challenge. – xxxRxxx Aug 19 '16 at 14:24
  • So it is about Web contents scrapping. (don't tell us what kind of site you are going, we are not interested) In such case, can't you just use must more appropriate tools such as python requests and beautifulsoup? Unless you need to "click" on particular button, selenium is overkill for web content scraping. – mootmoot Aug 19 '16 at 14:31
  • Like I said, I need to click on the first search result after entering a URL into a search field. I'm sure there is also other software that could accomplish that task, feel free to name one. – xxxRxxx Aug 19 '16 at 14:34
  • Leaving aside the fact that selenium would not be on the list of tools I would choose for the task, "pretty strict about installing new software" is meaningless as a policy. Unless you only operate with paper and pencils, you already have software, likely from multiple sources. You should therefore have a policy specifying the evaluation and acceptance criteria for new software. The absence of such a policy is a Security Risk. – symcbean Aug 19 '16 at 14:38
  • Go search for web scrapping and study them. If your enterprise are so concern of "compromised intranet security", you can run your program in cloud. Whenever you play with web scrapping, bare in mind that some content website may implement anti-scrapping process. – mootmoot Aug 19 '16 at 14:40

2 Answers2

4

Unfortunately this is not usually possible.

In many cases, the software is signed, so that you can verify the company who authored the software. However, in your case you are getting the software directly from the author so you know who they are.

As you understand, even knowing the author, there is still a risk that Malware was included by the author. Many larger companies will not do this because they have so much to lose, but it is technically possible.

It may be wise to do some research to see if other users have reported issues.

There is no practical way to scan for 'unknown' malware. Anti-virus programs can only scan from a database of previously reported malware. (also you would have to disable auto-update features)

So the bottom line is

  • Either you trust the creators enough to run the software. (and install their updates)
  • Or, you restrict the scope in which the software can run.

Restricting the scope means

  1. Run on a separated VM, which has no access to any of your operational systems.
  2. Restrict internet access so that potential malware cannot call home.
  3. Optionally run on a separate physical computer as well, but this is probably overkill.

Following these steps will limit the risk associated with running malware, but is quite distinct from your original request to detect whether malware is present.

Some final points:

  • Is it better for the software to be open source or not? That's worth considering, but not in this answer.

  • It is technically possible to de-compile the program and inspect it manually, but this is not practical.

  • You could write your own tools that serve a similar purpose.

700 Software
  • 13,997
  • 3
  • 55
  • 82
4

It's an extremely difficult task to say if piece of software is "safe" or not. However, after reading your comments your after if it's contains malware?

I'd recommend you start:

  1. Virus Total - Virus Scanner online
  2. COMODO - Valkyrie - Signature database
  3. COMODO - CAMAS - Analyse of the process

However, you are relying on virus scanners and existing known hashes for bad malware and common behaviour.

You could furthermore safe guard yourself by using Virtual Machine (VirtualBox/VMWare) or Sandbox (Sandboxie) software to isolate your host from the potentially malicious software.

Configuring an harden sandbox:

  • Network - Limit the application to website(s) you know it requires access to, in your case US government websites
  • File - What write access does it require? If any?
  • Registry - Same again.

Now, let's assume you was running some malicious software the scope of the attack has been greatly reduced.

Paul
  • 1,552
  • 11
  • 11