[Geany-Users] geany-1.34_setup.exe security analysis

Matthew Brush mbrush at xxxxx
Tue Dec 18 01:22:51 UTC 2018


The installer doesn't connect to the Internet, your report shows Windows 
connecting to the Internet (svchost.exe). As suggested, it's most likely 
Windows checking your Internet connection by connecting to a (somewhat) 
regional IP which will always be online (ex. a CDN). For more info, 
google for "EnableActiveProbing".

I personally installed it with Internet connected and a subsequent full 
virus scan showed no threats.

Matthew Brush

On 2018-12-17 5:07 p.m., dany111 at email.it wrote:
> So, if I run the installer offline, I should be safe, right? Because the suspicious behavior is restricted to internet connection and to the installation, when installer acts, and never again.
> Regards,
> Daniel
> ----- Original Message -----
> Hi,
> I don't think your conclusion is correct:
> in my opinion it is not yet proven that the installer actually connects
> to the internet yet it is possible (I could not reproduce it on my
> system but this does not necessarily mean it does not happen).
> And if it connects to the internet, then it is not safe because it
> should not do it.
> But yes, Geany does not connect to the internet except for the
> UpdateChecker plugin which does this by design by connecting to
> geany.org to check for the latest version. It does this only if it is
> explicitly activated.
> Tools:
> the network traffic I monitored with "tcpdump" on the router and for
> searching the IP I used "grep" from the MSYS2 distribution. "grep" is
> also available as a normal Windows binary for download and you probably
> can also use the native Windows search.
> Regards,
> Enrico
> On 12/17/18 2:09 PM, dany111 at email.it wrote:
>> Thanks for the answer.
>> So, the installer connects to internet, not Geany itself, right?
>> In conclusion, the installer is safe, isn't it?
>> PS:Could I ask you which tools you use to monitor network activity and to grep whole Windows system?
>> ----- Original Message -----
>> On 12/16/18 11:29 PM, Enrico Tröger wrote:
>>> Hi,
>>> On 12/16/18 10:37 PM, dany111 at email.it wrote:
>>>> I don't want to sound paranoid but I've just scanned geany binaries with Hybrid Anlisys.
>>>> I've got these results: https://www.hybrid-analysis.com/sample/109748fc6e6276462258ee104996fe29c9d826b4ea507857e7a2411b1614bd7d/5c1698807ca3e12dc155b5ad
>>>> In particular, could you explain me why the installer connects to the Swiss IP Address
>>> Interesting.
>>> I have not yet an explanation but am not panicly.
>>> The IP belongs to Akamai which is not per se anything bad but just a
>>> CDN. I'll try to get some more details.
>> I tested with my Windows system and the only network activity I saw was
>> a request to www.msftncsi.com/ncsi.txt which is Microsoft's network
>> connectivity check
>> (https://blog.superuser.com/2011/05/16/windows-7-network-awareness/).
>> While www.msftncsi.com actually resolves to an IP address of the Akamai
>> CDN IP range, it might be just accidental.
>> I would assume that Hybrid Analysis is smart enough to filter out
>> Windows' own connectivity check from the tests.
>> Furthermore, I grepped my whole Windows system used for the release
>> binaries for that IP address - without any matches.
>> If you are interested enough, it might help to contact Hybrid Analysis
>> for support and/or debug the installer yourself to get more information
>> than I gathered.
>> It might help to get some insights about how Geany for Windows is built.
>> The used software and build instructions are documented in the wiki at
>> https://wiki.geany.org/howtos/win32/msys2.
>> Regards,
>> Enrico
> _______________________________________________
> Users mailing list
> Users at lists.geany.org
> https://lists.geany.org/cgi-bin/mailman/listinfo/users

More information about the Users mailing list