[SOLVED] Software to check if a Deb package is safe to install

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
KIMW
Level 3
Level 3
Posts: 162
Joined: Sat Nov 12, 2016 1:43 pm
Location: Italy

[SOLVED] Software to check if a Deb package is safe to install

Post by KIMW »

I'm aware that as a rule of thumb software should be installed from Software Manager, but it's not always possible.

I was wondering if there is a way to check if a Deb package I've found on Internet is safe to install?

I don't have enough knowledge to understand what is inside the package would do precisely, so I'm not talking about going through the Deb package manually. Is there a software or perhaps a website like: virustotal.com that could check how safe is it?
Last edited by KIMW on Sun Jan 31, 2021 8:04 am, edited 1 time in total.
Distro: Linux Mint 18.3 KDE
Laptop: Dell Latitude-E7470. RAM 16GB. Dual core: Intel Core i7-6600U. Graphic Card: Intel Sky Lake..
User avatar
Welcome
Level 5
Level 5
Posts: 977
Joined: Wed Aug 19, 2020 11:38 am

Re: Software to check if a Deb package is safe to install

Post by Welcome »

Good question!

I just used virustotal.com to scan a .deb file. It came up with no detections. And, virustotal indicates that this file had just been tested 3 days ago, so others are using it.

Is it safe? The file I tested is the Phoronix Test Suite, and so I'd expect it to be. Anyone can make a .deb file, and I can imagine a new strain of virus or trojan could be introduced in a .deb, so it isn't always safe. Know where the .deb is from and know if they can be trusted. That's my advice.
3 steps to find an answer:
  1. Search forum with unique key words
  2. Search 'net with unique key words & add site:linuxmint.com
  3. Search 'net with unique key words & add either Linux Mint or Ubuntu
KIMW
Level 3
Level 3
Posts: 162
Joined: Sat Nov 12, 2016 1:43 pm
Location: Italy

Re: Software to check if a Deb package is safe to install

Post by KIMW »

Welcome wrote:
Thu Jan 14, 2021 12:24 pm
I just used virustotal.com to scan a .deb file. It came up with no detections.
You mean that there was no known threat or that nothing was shown in return?
Distro: Linux Mint 18.3 KDE
Laptop: Dell Latitude-E7470. RAM 16GB. Dual core: Intel Core i7-6600U. Graphic Card: Intel Sky Lake..
Darosicam
Level 1
Level 1
Posts: 10
Joined: Sun Jan 17, 2021 8:02 am
Location: UK

Re: Software to check if a Deb package is safe to install

Post by Darosicam »

If you want to install an application which is not in the Software Manager, or you want a later version, go to the site belonging to the application and download the official version. Almost all will have a checksum so that you can check the validity of the file prior to installation. This keeps you clear of modified versions of applications, but doesn't guarantee that it will run smoothly on your current installation. That is up to you. Regularly cloning your system, or using backup will enable you to restore the system if you create a problem.

I often use latest versions straight from sites who supply them as APPIMAGE files. These files install nothing and come complete with all the libraries, etc., required by the application. Yes they use more drive space, but I have yet to experience a single problem with them, so I am happy to recommend them. You can make such image files yourself, thereby generating 'portable' applications which can move to other Linux machines running any version of Linux.

I have several 120GB USB solid-state drives (cheap) which I use for carrying Linux Mint and a few other bits and pieces around with me. USB3 is best for USB booting as it is considerably faster than the older versions.
User avatar
Welcome
Level 5
Level 5
Posts: 977
Joined: Wed Aug 19, 2020 11:38 am

Re: Software to check if a Deb package is safe to install

Post by Welcome »

KIMW wrote:
Sun Jan 17, 2021 11:59 am
You mean that there was no known threat or that nothing was shown in return?
No known threat. Many of the virus scanning software produced results indicating that they didn't detect a known threat.
3 steps to find an answer:
  1. Search forum with unique key words
  2. Search 'net with unique key words & add site:linuxmint.com
  3. Search 'net with unique key words & add either Linux Mint or Ubuntu
User avatar
xenopeek
Level 25
Level 25
Posts: 25248
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Software to check if a Deb package is safe to install

Post by xenopeek »

First thing I'd consider is where are you downloading the .deb file from. Is it from the website of the software you want to install? So the .deb file is made by the people that also develop the software? In that case the question boils down to do you trust the developers of the software.

For .deb files downloaded from other websites I'd try to find a more authoritative source to get the software from but virustotal is a good suggestion to do some basic checking although it will mostly look for malware for other OSes I think.
Image
KIMW
Level 3
Level 3
Posts: 162
Joined: Sat Nov 12, 2016 1:43 pm
Location: Italy

Re: Software to check if a Deb package is safe to install

Post by KIMW »

Darosicam wrote:
Sun Jan 17, 2021 12:34 pm
[...] APPIMAGE files. These files install nothing and come complete with all the libraries, etc., required by the application.
Prior my first post I did some research about AppImage and Flatpak (or Snap)...
I agree with you about AppImage, and it's also very simple to use.

But AppImage apparently runs on a system unsandboxed.

It's why, I read, distros are slowly moving towards Flatpak as the primary distribution method for desktop applications because it includes sandboxing which makes it significantly more secure...

xenopeek wrote:
Sun Jan 17, 2021 1:42 pm
For .deb files downloaded from other websites I'd try to find a more authoritative source to get the software from
What do you mean by: "find a more authoritative source"
xenopeek wrote:
Sun Jan 17, 2021 1:42 pm
virustotal is a good suggestion to do some basic checking although it will mostly look for malware for other OSes I think.
So it would be recognised as a Debian Package but would be inspected only for a Windows environment?
Distro: Linux Mint 18.3 KDE
Laptop: Dell Latitude-E7470. RAM 16GB. Dual core: Intel Core i7-6600U. Graphic Card: Intel Sky Lake..
User avatar
xenopeek
Level 25
Level 25
Posts: 25248
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Software to check if a Deb package is safe to install

Post by xenopeek »

KIMW wrote:
Sun Jan 17, 2021 4:34 pm
What do you mean by: "find a more authoritative source"
I mean official. Instead of downloading a .deb file from some random person's website prefer to get it from the website of the developers of the software.
KIMW wrote:
Sun Jan 17, 2021 4:34 pm
xenopeek wrote:
Sun Jan 17, 2021 1:42 pm
virustotal is a good suggestion to do some basic checking although it will mostly look for malware for other OSes I think.
So it would be recognised as a Debian Package but would be inspected only for a Windows environment?
I can't answer that. I don't know if virustotal or the anti virus engines know that a .deb file is an archive that should be extracted before scanning. Processing the data of a compressed file isn't useful; the decompressed data should be processed.
Image
User avatar
phd21
Level 19
Level 19
Posts: 9976
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Software to check if a Deb package is safe to install

Post by phd21 »

Hi KIMW,

I just read your post and the good replies to it. Here are my thoughts on this as well.

Which software deb file are you concerned about?

As far as I know, the excellent VirusTotal website does check for all types of malware on most operating systems and their files including Linux since 2014.
VirusTotal will scan, and detect, if appropriate, any type of binary content, be it a Windows executable, Android APKs, PDFs, images, javascript code, etc. Most of the antivirus companies involved in VirusTotal will have solutions for multiple platform, hence they usually produce detection signatures for any kind of malicious content
Google's VirusTotal puts Linux malware under the spotlight | ZDNet
https://www.zdnet.com/article/googles-v ... 20malware.

It is a good idea to only trust software offered by the developers or maintainers, so if the developer's website has links to deb files or appimages, you can trust it. There are often 3rd party websites and PPA's, etc... that may also offer installation of certain software or many different software packages, these should be researched and possibly checked for malware before installation; you can also ask about these here in this forum. A more authoritative source would be this forum, respected Linux websites that have reviewed the software, etc...

I prefer AppImages or self-contained ready to run archive files over Flatpaks and Snap packages. The many software packages offered as AppImages can be sandboxed using Firejail if you want to. Unless the particular software AppImage accesses the Internet or requires root access, there is no need to firejail sandbox it.
Example of Firekail sandbox with Krita AppImage

Code: Select all

firejail --appimage krita-3.0-x86_64.appimage
Update: I uploaded "clamav-testfiles_0.102.4+dfsg-0ubuntu0.20.04.1_all.deb" to VirusTotal which contains safe test infected files for the ClamAV application, and VirusTotal had 2 engines that detected it but did not specify all the results (41). The deb file contains multiple nested archive files with various "safe" viruses that should have been detected but were not. ClamAV did not detect them either until I extracted the Deb file and the data archive files then ran a check on the extracted folders.

AppImage Support | Firejail
https://firejail.wordpress.com/document ... e-support/

11 Tools to Scan Linux Server for Security Flaws and Malware
https://geekflare.com/linux-security-scanner/

Linuxvirus - Community Help Wiki
https://help.ubuntu.com/community/Linuxvirus


Hope this helps ...
Phd21: Mint 20 Cinnamon & xKDE (Mint Xfce + Kubuntu KDE) & KDE Neon 64-bit (new based on Ubuntu 20.04) Awesome OS's, Dell Inspiron I5 7000 (7573) 2 in 1 touch screen, Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram, Intel 4 Graphics.
User avatar
Welcome
Level 5
Level 5
Posts: 977
Joined: Wed Aug 19, 2020 11:38 am

Re: Software to check if a Deb package is safe to install

Post by Welcome »

This is very interesting!
phd21 wrote:
Sun Jan 17, 2021 5:36 pm
Update: I uploaded "clamav-testfiles_0.102.4+dfsg-0ubuntu0.20.04.1_all.deb" to VirusTotal which contains safe test infected files for the ClamAV application, and VirusTotal had 2 engines that detected it but did not specify all the results (41). The deb file contains multiple nested archive files with various "safe" viruses that should have been detected but were not. ClamAV did not detect them either until I extracted the Deb file and the data archive files then ran a check on the extracted folders.
Emphasis added.
3 steps to find an answer:
  1. Search forum with unique key words
  2. Search 'net with unique key words & add site:linuxmint.com
  3. Search 'net with unique key words & add either Linux Mint or Ubuntu
User avatar
kc1di
Level 16
Level 16
Posts: 6708
Joined: Mon Sep 08, 2008 8:44 pm
Location: Maine USA

Re: Software to check if a Deb package is safe to install

Post by kc1di »

It all comes down to trust in the software you want to install, things like where did I download it from. Do I trust the people who uploaded it in the first place. The reason that we discourage installing programs outside the official sources is that there is no way to verify that they will work with Mint without causing problems in other areas. The programs found in the software repositories have been tested to a degree to assure they will not break the system. If you download and install programs outside the tested ones. You'll run the risk of breaking your system. And maybe not being able to find help here to fix it if it breaks. With all that in mind you will have to make up your own mind as to the advisability of installing it.
I think apimages and flatpacks are one solution. But even there caution is advised. PPA's also can prevent problems. But each person will have to weigh the risks vs the benefits the program being looked. I tend to err on the side of caution. Good luck in your choosing.
Easy tips : https://easylinuxtipsproject.blogspot.com/ Pjotr's Great Linux projects page.
Linux Mint Installation Guide: http://linuxmint-installation-guide.rea ... en/latest/
Registered Linux User #462608
KIMW
Level 3
Level 3
Posts: 162
Joined: Sat Nov 12, 2016 1:43 pm
Location: Italy

Re: Software to check if a Deb package is safe to install

Post by KIMW »

Sorry for the late reply, I was not feeling well.
phd21 wrote:
Sun Jan 17, 2021 5:36 pm
As far as I know, the excellent VirusTotal website does check for all types of malware on most operating systems and their files including Linux since 2014.
Excellent.
phd21 wrote:
Sun Jan 17, 2021 5:36 pm
It is a good idea to only trust software offered by the developers or maintainers, so if the developer's website has links to deb files or appimages, you can trust it.
That's simple. Thanks!
phd21 wrote:
Sun Jan 17, 2021 5:36 pm
I prefer AppImages or self-contained ready to run archive files over Flatpaks and Snap packages. The many software packages offered as AppImages can be sandboxed using Firejail if you want to.
Unfortunately I stopped using Firejail, because it was completely messing up my laptop's sounds settings.
viewtopic.php?p=1681521#p1681521
Welcome wrote:
Mon Jan 18, 2021 8:26 am
This is very interesting!
phd21 wrote:
Sun Jan 17, 2021 5:36 pm
I uploaded "clamav-testfiles_0.102.4+dfsg-0ubuntu0.20.04.1_all.deb" to VirusTotal [...] ClamAV did not detect them either until I extracted the Deb file and the data archive files then ran a check on the extracted folders.
Okay, then a Deb file should always be extracted before inspecting it.

Thanks all of you guys for your help.
Distro: Linux Mint 18.3 KDE
Laptop: Dell Latitude-E7470. RAM 16GB. Dual core: Intel Core i7-6600U. Graphic Card: Intel Sky Lake..
User avatar
phd21
Level 19
Level 19
Posts: 9976
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Software to check if a Deb package is safe to install

Post by phd21 »

Hi KIMW,

You are welcome from all of us that replied...

Using the firejail sandboxing application is a great way to make sure your system is safer. Most people do not have any sound issues when installing or using firejail. But, if you do have sound issues, run their one line command below and restart your computer or logout and back in. I run the command anyway after installing or updating firejail.

Code: Select all

firecfg --fix-sound
Frequently Asked Questions · netblue30/firejail Wiki · GitHub
https://github.com/netblue30/firejail/w ... -Questions
PulseAudio 7.0/8.0 issue

The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Many Linux users are reporting sound problems when running applications in Firejail sandbox. It affects among others Ubuntu 16.04 and Mint users. This problem was fixed PulseAudio version 9.0. Run firecfg --fix in a terminal or apply the following configuration to mask the problem:

$ mkdir -p ~/.config/pulse
$ cd ~/.config/pulse
$ cp /etc/pulse/client.conf .
$ echo "enable-shm = no" >> client.conf

A logout/login is required for the changes to take effect.

If you have problems with PulseAudio 9.x use the previous fix, or configure enable-memfd = yes in /etc/pulse/daemon.conf.
Hope this helps ...
Phd21: Mint 20 Cinnamon & xKDE (Mint Xfce + Kubuntu KDE) & KDE Neon 64-bit (new based on Ubuntu 20.04) Awesome OS's, Dell Inspiron I5 7000 (7573) 2 in 1 touch screen, Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram, Intel 4 Graphics.
KIMW
Level 3
Level 3
Posts: 162
Joined: Sat Nov 12, 2016 1:43 pm
Location: Italy

Re: Software to check if a Deb package is safe to install

Post by KIMW »

I did not know Firejail issue was fixed. That's really great!
I'm going to reinstall it again then.
Thanks a lot phd21.
Distro: Linux Mint 18.3 KDE
Laptop: Dell Latitude-E7470. RAM 16GB. Dual core: Intel Core i7-6600U. Graphic Card: Intel Sky Lake..
User avatar
phd21
Level 19
Level 19
Posts: 9976
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Software to check if a Deb package is safe to install

Post by phd21 »

Hi KIMW,

You are welcome...again...
Phd21: Mint 20 Cinnamon & xKDE (Mint Xfce + Kubuntu KDE) & KDE Neon 64-bit (new based on Ubuntu 20.04) Awesome OS's, Dell Inspiron I5 7000 (7573) 2 in 1 touch screen, Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram, Intel 4 Graphics.
Post Reply

Return to “Software & Applications”