If you’ve just downloaded a file to your computer how do you know if it’s safe to run it? These days many malicious files are specifically designed to seem safe in order to trick you into running them. As soon as you do they go about their nefarious purpose and may infect your computer, steal your credit card information and passwords, or other tasks which I can promise you won’t enjoy. So how can you tell the difference between these files and the legitimate ones? This may seem like a very difficult task, but surprisingly it’s not too much work. Below are three methods which you can use to check a file. Most will take only minutes of your time and they won’t slow down your computer at all.
The first thing you should do when checking to see if a file is dangerous is to find out if any antiviruses (AV’s) detect it as dangerous. The best way to do this is to upload the file to a site where it will be scanned by multiple AV’s. One of the best sites for this is VirusTotal. This site will scan your file with over 40 scanners and show the results separately for each one. This entire process should take less than a minute. You can upload files that are up to 20 MB in size. Interpreting these results can be tricky, but if a significant number of scanners show a warning then the file is likely to be dangerous. Below are two examples of results for files that are indeed malicious.
The downside to using VirusTotal is that malware is being created so quickly that in order to try and keep up with it the antivirus companies are forced to use heuristic detections and generic signatures to catch them. The problem with these is that they may incorrectly identify a legitimate file as malicious. This is known as a false positive. If one or two AV’s detect a file with heuristics and the other AV’s do not, then it is likely a false positive. If your AV is the one that detects it then you should report it as a false positive to your AV. Most AV vendors have a procedure for doing this which will be explained either on their website or in the user guide (help) which comes with the program. In case you don’t want to search for this a comprehensive list of where to report false positives and suspicious files is given on this page along with other useful information. Below are two examples of legitimate files that are being incorrectly identified as dangerous by VirusTotal.
There are a few cases in which multiple AV's may detect a legitimate file as dangerous. One of the most common is that the file may perform an action that is routinely seen in malicious files, but in this case is being used for a legitimate purpose. This would likely cause it to be detected with heuristics. Another possibility is that it could be detected with generic signatures. These search for pieces of code that are very similar to those found in known malware. The problem is that sometimes small pieces of legitimate code can resemble that found in malware. In this way a legitimate file can be marked as malware. Yet another possibility is that AV companies tend to share detection signatures. Thus if one AV vendor finds a file to be dangerous another may quickly follow.
In addition to checking whether any AV’s currently detect the file it’s also a good idea to check if the behavior of the file seems malicious. There are many websites that will analyze the behavior of a file and give you their opinion about whether it might be malicious or not. Two of the easiest to use and understand are Comodo Instant Malware Analysis (CIMA) and ThreatExpert. The latter is maintained and operated by PCTools.
CIMA will display the results immediately after its analysis. This could take anywhere from one to five minutes. This time depends greatly on how long it takes the file itself to run. Also, there is no limit to the size of the file that can be uploaded. The results of the analysis are given near the end of its report and will give you its opinion of the file. If it says that the “Auto Analysis Verdict” is “undetected” then it did not find any suspicious activity in the behavior of the file. The verdict can also be Suspicious, Suspicious+, and Suspicious++. These indicate that it found suspicious behavior in the file with Suspicious++ being the most suspicious. It also lists the reasons it found it to be suspicious directly below the verdict. Below are examples of one file that is undetected and one that was found to be Suspicious++.
ThreatExpert will send you the results via email. This should usually take less than ten minutes from the time you uploaded it. The maximum file size that you can upload is 5MB. If it finds the behavior of the file to be malicious it will have a box called “Summary of the findings” near the top of the report. Inside of here it will list the behaviors that were found to be suspicious and how severe it thinks they are. Below are examples for two malicious files.
The response time for both of these services may vary greatly depending on the complexity of the file and the server load. You can also scroll through the detailed information about the behavior of the file to learn even more about the behavior of the file. Advanced users should also check out Anubis. This provides much more information about the behavior of the file, but may be difficult to interpret for some users. It generally takes a few minutes to analyze, but may take much longer depending on the server load. Anubis also provides a verdict of whether the file is suspicious or not, but I find it to be less reliable than that of CIMA or ThreatExpert. Remember that these services are not 100% accurate. Legitimate files can be flagged as suspicious and dangerous malware may not be caught. In fact some malware is even able to tell whether it's running in a virtual environment and not run. Just bear this in mind when viewing the results.
One almost certain way to check if a file is malicious is to submit it to an AV vendor for analysis. The drawback is that it takes time before you get their response and doesn’t instantly provide the information necessary to make a quick decision. Some vendors will send an email with the results of the analysis. A few of the most notable are Avira AntiVir, Kaspersky, and McAfee. With these vendors you will usually receive a response within a few hours.
It’s generally a good idea to rely on multiple methods in order to determine whether a file is malicious or not. If a file is found to be suspicious by any of these methods it’s a good idea to report it to your own AV as suspicious. This way if the file is dangerous it will be detected and you will be protected from it in the future.
There is currently no 100% certain method for knowing whether a file is malicious or not, but by following the methods discussed on this page you should have enough information to make a very informed decision.
Credit to Chiros @ TSAlert for this kick ass article!
No comments:
Post a Comment