How to perform the scan in secure way?

[qbolec]

Given that the root cause of the problem was downloading software from untrusted source, I am not sure I want to fix it by downloading an app from github. I know it's open source, but I am not .Net expert and to me it looks like quite a lot of code and xmls to review for any potential threat. Thus I wonder:

1. Isn't there a simpler way to scan for strings, by using existing, trusted tools, like xargs jar grep, which would be much easier to review for wider audience?
2. If I really have to run your app, can I at least "sandbox" it somehow, by restring access to files to just read-only and blocking network? If so, what are the simplest, most robust ways, to do that on Windows?

[tomwolfgang]

Hi, Totally understood. The release is signed with an Overwolf Code sign certificate - so at least you know it isn't tampered with (right click properties).

Another option is to download visual studio community edition and just compile the code - c# is easy to compile.

There are other tools I can recommend - like this one: https://github.com/MCRcortex/nekodetector

[qbolec]

This sounds like something which would let me verify authorship of the code, but not its safety. So, basically, I'd have to trust you to not do anything wrong with full access to my computer. Right?

[CameronJThomas]

Unless you possess the knowledge to read and comprehend the source of the program (in particular https://github.com/overwolf/jar-infection-scanner/blob/main/Form1.cs), yes, there is an element of trust involved, as with just about anything you use on your computer.

Whether that risk is lesser or greater than the risk of having the actual malware on your machine is entirely your own decision. Unfortunately it's just not possible to scan an entire machine for this without having some level of access to it. There are other tools and scripts floating around to achieve largely the same goal in different ways - perhaps some others will align with how you feel most comfortable. But there's no magic bullet, at least until AV vendors have caught up sufficiently and you can run a regular full AV scan.

[qbolec]

Well, this answer doesn't really engage with my initial question. Sure, I have to trust something/someone. And I've already stated that I trust my OS vendor and some tools like xargs, grep etc. So I hoped that you could explain how I can use, say, Windows Defender to limit access to network and forbid writes to filesystem, or use some everyday tools to grep for the pattern.

As I've said I am not C#, so I don't know if the Form1.cs file is the only thing I have to review - I don't know the .Net threat model - could .config or .resx contain embeded something risky?

OTOH I pretty much trust that grep, find, xdd, do not do anything harmful. Here's something I've hacked together based on my limited understanding on your C# code, with help of ChatGPT.

#!/bin/bash
find -type f -name '*.jar' |
while read -r jar;
do
 for klass in $(unzip -Z1 "$jar" '**.class');
 do
    echo -ne "Checking file $jar klass $klass...                      \r";
    unzip -p "$jar" "$klass" | 
    xxd -p -c1000000000 | 
    grep -q -E '385459041035545905102E54590610325459071031545908103754591006102E5459100710315459100810345459100910345459100A102E5459100B10315459100C10335459100D103054B7|68545904107454590510745459061070545907103a545908102f54591006102f54591007106654591008106954591009106c5459100a10655459100b10735459100c102e5459100a10735459100e106b5459100f107954591010107254591011106154591012106754591013106554591014102e545910151064|2d545904106a54590510615459061072'
    ok=$?
    if [ $ok -eq 0 ];
    then
        echo "Malware was found in class '$klass' in jar '$jar'";
    fi      
 done
done 

If this code does the same thing as yours (I honestly don't know), then at least it is easier to verify that it is not doing anything harmful. One just have to trust that find, unzip, xdd, grep and echo, for these particular arguments, do not do anything scary.