This article is part of a series on Chocolatey for the Enterprise, also available as a chapter in our free, downloadable eBook

Chocolatey is a self-service solution that works well in the enterprise. It also includes virus scanning of installers in scripts, important in self-service as it offers another layer of control and makes sure malicious software doesn’t end up on your network.

As Chocolatey packages are just scripts with no actual executable, it can be confusing how virus scanning works.

How exactly does Chocolatey scan packages, and is it any different from “traditional” system checks or anti-virus software?

More importantly, does it offer the same or even greater protection, especially for organizational use?

In this article, we’ll take a look at how Chocolatey handles virus scanning, as well as introduce some solutions to make it work for you in the enterprise.

Chocolatey and Virus Scanning

Typically, downloaded files are checked for viruses by the system or anti-virus software, but as Chocolatey packages are essentially just scripts, it doesn’t happen the same way. 

Instead, software is checked at the Chocolatey.org server using “VirusTotal“, scanning binaries against more than 50 anti-virus scanners. If five or more positive results are detected, the Chocolatey CLI will fail the installation.  

What’s more, community packages uploaded to chocolatey.org go through a moderation process.  
This includes a virus scan that takes appropriate action based on the number of detections: 

Overall, Chocolatey scanning is pretty reliable. Not only does its multi-layered scanning minimize any false positives, but it’s all done at server level. This means you don’t have to do it all yourself. 

Having said that, packages with “detections” rarely contain malware. Ideally, you should assess detections case-by-case to improve accuracy and reduce any alarm over false positives. This is why you should have your own private package repository.

Chocolatey with a Private Package Repository 

If you’re using Chocolatey in your organization, having a private package repository like ProGet is already a good idea. However, added to the other benefits is better virus management.

Any “detections” in Chocolatey show up as vulnerabilities in ProGet:

This gives you better visibility into any vulnerabilities and allows you to assess them case by case, blocking if you need to. You can also log comments to keep a record of the assessments you perform:

Viruses vs Vulnerabilities 

Detected viruses in Chocolatey packages show up as vulnerabilities in ProGet. This doesn’t mean to imply they are the same thing. They aren’t, and it’s important to understand the difference:

• Vulnerabilities: Exploitable weaknesses in software that are not inherently malicious. 
• Viruses: Maliciously added code designed to cause harm. 

While Proget is inherently designed as a vulnerability scanner, viruses showing up this way gives you the power to assess them case by case. Chocolatey flags potential malware, but typically the chance of actual malware existing in packages is extremely rare.  

Use Chocolatey with ProGet for the Enterprise 

Virus scanning is a critical aspect of a secure, self-service environment. Chocolatey’s virus scanning offers an additional layer of security. It scans with “VirusTotal” against over 50 anti-virus scanners, all done at the server, so you don’t have to locally. 

Integrating Chocolatey with ProGet as a private repository will let you assess virus detections individually, giving you a more controlled approach to managing Chocolatey packages in your organization. 

This was a lot of information to take in, and I would recommend taking notes for future reference. Better yet, download a copy of our free eBook Chocolatey for the Enterprise. Aside from everything on this page, you can also learn about versioning, automating your deployments, package internalization, and more. For more on making Chocolatey work for you in the enterprise, sign up for your free copy today!