Safety? (with regards to installing)

VST, AU, AAX, CLAP, etc. Plugin Virtual Effects Discussion
Post Reply New Topic
RELATED
PRODUCTS

Post

Interested in getting feedback from folks about the safety of installing some of these free plugins. I use VirusTotal anytime I download a free plugin. Even some of the more well-known plugins will sometimes show a malicious file from one or more sites (VirusTotal, if you're unfamiliar, uses a conglomerate of site scans -- usually about 30 or so). But overall, VirusTotal will give you a greenlight on the file if most of the sites do not detect anything.

Anyone experience any issues or have any concerns about these plugins?

Post

I have the same concerns. I see the danger from potential bad actors, but also from security vulnerabilities. Unfortunately many audio developers seems not to have security on their radar. This starts with more and more network communication in the background by the plugin (potential attack vector, every plugin is doing it on their own, hence higher chance of error) and not using code signing for their plugins or taking care of false positive detections.

I don't try as much plugins as in the past because the impact of malware in a connected world is getting higher.

Post

midi_transmission wrote: Fri Jun 02, 2023 11:22 am ... This starts with more and more network communication in the background by the plugin ...
That was my distinct impression, as man, the CPU usage is getting a bit crazy now when running Tracktion, even with just loading basic tracks -- no plugins added yet. I kinda figured a lot of these software companies are making the bulk of their money back adding trackers or something, since the products are free.

Post

No I don't think that's the case. I don't think that scam is a business model in the audio world so far.

My fear is rather an isolated black sheep.

But even more the general lack of interest in security that is creating an attack vector by things like active network connections. The risks that is introduces by this is very much underestimated and ignored unfortunate in general.

It's like using an outdated browser for the network part.

Post

Well, for instance, the Bertom plugins. I've used the Denoiser for a while now (my absolute, most valuable plugin). Went to their site to download the other freeware they offer. Check each one, and one site found malware inside. So, I'm referring specifically to plugins downloaded directly from the publishers, not a third-party site.

Post

I’ve never considered, for even a nanosecond, that stuff I downloaded to my Mac, from devs (Soundtoys, TAL, Izotope, Waves, Lennar, Ableton etc) might be the remotest bit dodgy.

Should I?
I lost my heart in Cap de Creus

Post

The old question we gotta ask ourselves since maybe the 80s, is this: "Should I trust developer X and install his closed source". Or does the software unwanted things like A, B or C? Maybe even unintended because libraries?

The answer is: Yes. No. Maybe. (A*B)/C=0.

Ask your guts. You could observe suspicious software with sysinternals filemon/procmon/whateverMonitor.

People generally aren'tn interested in security. Business gave them Antivirus software and they're happy. Let them be happy.

Post

revvy wrote: Sun Jun 04, 2023 6:12 am I’ve never considered, for even a nanosecond, that stuff I downloaded to my Mac, from devs (Soundtoys, TAL, Izotope, Waves, Lennar, Ableton etc) might be the remotest bit dodgy.

Should I?
No. It’s not outside the realm of possibility, but probably remote. However, some random developer offering software that you have never heard of… could be worth passing on.
Zerocrossing Media

4th Law of Robotics: When turning evil, display a red indicator light. ~[ ●_● ]~

Post

irpacynot wrote: Sun Jun 04, 2023 5:47 am Well, for instance, the Bertom plugins. I've used the Denoiser for a while now (my absolute, most valuable plugin). Went to their site to download the other freeware they offer. Check each one, and one site found malware inside. So, I'm referring specifically to plugins downloaded directly from the publishers, not a third-party site.
I can't say anything about these plugins.

But a hit at Virustotal does not mean it's malware automatically. it is a heuristic. It can be a virus but also a false positive.

It's a uncomfortable situation.

I prefere it when a developer takes care of false positives as much as possible.

I do not like to install software when I’m on the fence whether it's a false positive. But it's not wrong to ingnore a detection when you're very confident that it's a false positive. This is a decision that you must make yourself in case of doubt.
Last edited by midi_transmission on Mon Jun 05, 2023 5:48 pm, edited 3 times in total.

Post

tapiodmitriyevich wrote: Mon Jun 05, 2023 2:38 pm The old question we gotta ask ourselves since maybe the 80s, is this: "Should I trust developer X and install his closed source". Or does the software unwanted things like A, B or C? Maybe even unintended because libraries?

The answer is: Yes. No. Maybe. (A*B)/C=0.

Ask your guts. You could observe suspicious software with sysinternals filemon/procmon/whateverMonitor.

People generally aren'tn interested in security. Business gave them Antivirus software and they're happy. Let them be happy.
This. You should be careful like with every software. But the chance is probably very low to get malware by trusted companies.

But be aware that malware can be passed unintended. There was just a case some month ago https://www.malwarebytes.com/blog/news/ ... ain-attack

Post

I only give a second thought if I get more than 3 hits on virus total. I get false positives from engines such as Trapmine/CrowdStrike Falcon/Bkav Pro very consistently.

Post

revvy wrote: Sun Jun 04, 2023 6:12 am I’ve never considered, for even a nanosecond, that stuff I downloaded to my Mac, from devs (Soundtoys, TAL, Izotope, Waves, Lennar, Ableton etc) might be the remotest bit dodgy.

Should I?
gotta be suspicious of everyone these days, it's the nice ones that turn out to actually be evil. in films anyway and they must be based on something :shrug:

you shouldn't even trust me, i don't.
mainly because im useless though, not evil.
:ud:

Post

zerocrossing wrote: Mon Jun 05, 2023 4:46 pm
revvy wrote: Sun Jun 04, 2023 6:12 am I’ve never considered, for even a nanosecond, that stuff I downloaded to my Mac, from devs (Soundtoys, TAL, Izotope, Waves, Lennar, Ableton etc) might be the remotest bit dodgy.

Should I?
No. It’s not outside the realm of possibility, but probably remote. However, some random developer offering software that you have never heard of… could be worth passing on.
Best answer in the thread i think.

Post

You should know there's a bug in some old Synthedit made stuff that will test false positive for a Trojan. Other than that, I've run across a problem. I have 3 virus scans I use and I test everything in the file and in use. The only weird thing I got was a plugin that had a copy protection for the software code that made Windows 11 freak out and refuse to run it. It was a Computer Music magazine plugin.

Post

Thanks, folks, for all the great replies. For me, though viruses are an obvious issue, I don't fear that so much with the more well-known publishers. But I was mainly worried that these same publishers might be installing additional trackers, and since my computer is pretty old and slow, that can really cause issues inside of Tracktion. She gets easily locked up when there's too much CPU usage going on. When I open up Task Manager, it shows most of that usage coming from Tracktion, even if the tracks aren't using a ton of plugins. So, I was afraid perhaps the more of these types of plugins I download, the more activity might be going on with the plugins communicating usage data.

Post Reply

Return to “Effects”