How InstallSpy Detects and Prevents Malicious Installs

Quick Setup: Installing and Configuring InstallSpy in 10 Minutes

Overview

InstallSpy is a lightweight installer scanner that detects potentially malicious installers and validates package integrity. This guide walks through a fast, 10-minute setup on a Windows ⁄₁₁ or Ubuntu system, covering installation, basic configuration, and a quick scan.

Prerequisites

• Windows ⁄₁₁ (x64) or Ubuntu 20.04+ (x64)
• 5 MB disk space, 128 MB RAM free
• Administrative/sudo privileges
• Internet access to download the installer

1. Download (1 minute)

• Windows: download the latest InstallerSpy.exe from the official release page (choose 64-bit).
• Ubuntu: download the latest installspy-linux.tar.gz or use the provided APT/YUM repo if available.

2. Install (2 minutes)

Windows:

1. Right-click InstallerSpy.exe → Run as administrator.
2. Follow prompts: accept EULA, choose installation folder (default: C:\Program Files\InstallSpy), and finish.

Ubuntu (tarball):

1. Open terminal and extract:

tar -xzf installspy-linux.tar.gzsudo mv installspy /usr/local/bin/sudo chmod +x /usr/local/bin/installspy

Ubuntu (APT repo):

sudo apt updatesudo apt install installspy

3. Configure basic settings (3 minutes)

Default config file locations:

• Windows: C:\ProgramData\InstallSpy\config.yaml
• Ubuntu: /etc/installspy/config.yaml

Open the file in a text editor and set these minimal fields:

• scan_paths: [“C:\Users”, “/home”]
• auto_update_signatures: true
• quarantine_path: “C:\ProgramData\InstallSpy\quarantine” or “/var/lib/installspy/quarantine”
• log_level: “info”

Example YAML snippet:

scan_paths: - C:\Usersauto_update_signatures: truequarantine_path: C:\ProgramData\InstallSpy\quarantinelog_level: info

Save and (Windows) restart the InstallSpy service:

• Windows: Services → InstallSpy → Restart
• Ubuntu:

sudo systemctl enable –now installspy

4. Run your first scan (2 minutes)

Quick scan CLI:

installspy scan –quick

Full scan:

installspy scan –all –threads 4

Windows GUI: Open InstallSpy → Click “Quick Scan”.

Review results in the GUI or view CLI JSON:

installspy scan –quick –output json > scan-results.json

5. Handling detections (1 minute)

• If flagged: move items to quarantine:

installspy quarantine 

• To allow a false positive, add an allowlist entry in config.yaml:

allowlist: - sha256: “abc123…”

• To submit sample for analysis follow the in-app “Submit” button.

Quick verification

Confirm service running and signature updates:

• Windows: check Services and Logs in C:\ProgramData\InstallSpy\logs
• Ubuntu:

sudo systemctl status installspysudo journalctl -u installspy –since “10 minutes ago”

Troubleshooting (brief)

• Permission errors: run as admin/sudo.
• Scans hanging: reduce threads (–threads 1) or exclude large paths in config.
• Update failures: ensure outbound HTTPS to update server allowed.

Next steps

• Schedule daily automated scans (task scheduler or systemd timer).
• Integrate InstallSpy with your SIEM using the JSON output option.

This setup gets InstallSpy running with basic protection in about 10 minutes.