Hey everyone! I'm currently interning at a company, and I've been tasked with assessing two software applications: NoMachine and NetBird. I ran their installers through VirusTotal, and I noticed some concerning flags. For NetBird, a .dll file was marked as malicious by one of the vendors. For NoMachine, the installer connects to two flagged IPs—one linked to Akamai and the other to RIPE NCC, both of which have generated flags in other applications too. I'm looking for guidance on how to assess these softwares, including steps I can take to determine if they're safe for internal use. What are your thoughts on this situation?
3 Answers
It's great that you're being proactive! Ideally, your company should have a well-defined procedure for assessing third-party software. In my experience, we usually look into the company behind the software first, checking if they have solid policies and practices in place. Then, we conduct a Vulnerability Assessment and Penetration Testing (VAPT) before signing off on anything. If your organization lacks this documentation, it makes things a bit tricky but it’s a good chance for you to help develop it!
If you need to, here are the VirusTotal links for both software scans you can refer to. They contain detailed information about the flags:
- NetBird: [VirusTotal - File](https://www.virustotal.com/gui/file/303da19efa597437a055d94c060c62ed73819951dbd896724414a4619129aa0f/relations)
- NoMachine: [VirusTotal - File](https://www.virustotal.com/gui/file/1c4e81bc0e2bb9b0ab91bc1c15a2251a9c7939addb5ca04940b5ab5031fba0ab/relations)
Just a heads up, Akamai is a content delivery network and cloud service provider. It’s not uncommon for their IPs to be flagged—this could be related to someone using their services for malicious intent. Make sure to dig deeper into the context of why those IPs are flagged before making a decision on the software.
Could you elaborate on the types of issues that might lead to Akamai’s IPs getting flagged? Is it common for legitimate cloud providers to face this?
Thanks for the insight! Unfortunately, there’s no documentation here since it's a small organization still figuring things out. I’d love to assist in creating those processes, but I’m not sure how to start with them. Is conducting a VAPT very challenging or time-consuming?