Happy Trails Computer Club

home > security > overview > safe practices > attachments > handle files safely  
Part 3. Handle Files Safely
Almost any file -- even music and pictures -- can be turned to evil purposes these days. The principles of safe file handling are the same for all files, including attachments and any files that you download. Part 1, The Hazards of Attachments, covers how they are used in attacks. Part 2., Handle Attachments Safely, describes the initial process for attachments. This page -- Part 3. -- describes the rest of the process for attachments or for any other files.

If you've been here recently, you may want to drop down to the process below.

Purpose of this page

Outline a straightforward process that will help you decide if you're going to open a file or not. The file could be an email attachment, a file you've downloaded, or any other file. In addition show how to do it without endangering your machine or your private information if you decided wrong.

Myth

False: If you download a file that contains a virus or worm to your hard drive, it will damage your computer.

Truth: No, not really. It's a hazardous situation, but nothing will ever happen unless the file is activated. The file must be accessed in a particular way to activate the hostile code. If the file is never accessed in that specific way the hostile code will just sit there quietly on your hard drive. Keep that fact in mind as we proceed.

Basic principles

There are three file useful categories -- "Executable", "Exploitable" and "Inactive" -- when you're working in a security context. Either of the first two can easily contain hostile code. They can have "active" content, meaning that Windows will enable whatever action they're designed to take. Obviously the action could be hostile and that's why it's so important to handle them in a safe manner.

However, there's now a fine line between inactive and exploitable files. For example, digital picture, music and video files have generally been considered safe. However, it's possible to embed malicious content in these media file types. That changes the whole game.

The enabling element is powerful media software -- Windows Media Player, RealOne, WinAmp, etc. They're virtually an operating system within the Windows operating system. That means there's lots of power there to exploit. For example, hostile content in MP3 files can enter through a flaw in older versions of WinAmp, and allow attackers to run any code they please on computers running the unpatched versions. [demonstration]

So it's really the programs you use -- your browser, email client, media player, Word, etc. -- that determine if a file could be hazardous. If you insist on working with files that could have malicious content, you need to find ways to open them that won't activate malicious content. One way is to use an alternative program to open the file -- something other than the "registered" one that Windows uses automagically -- because that's the one the attackers will target.

What activates malicious content? If it's an executable file, for example, "badnews.exe" or "nasty.pif", the malicious action will take place when you "open" the file. If you double-click the file icon, right-click it and choose "open", or if you click "OK" when a dialog box asks if it's OK to open the file, it's immediately executed and the damage is done.

Safe file handling -- validate files

Preparing to validate attachments

Getting ready to get ready

  1. Do you know for sure that the message and attachment came from a source you absolutely trust? If not, go back and validate the message per Part 2, Handling attachments safely. You may end up discarding the message with its attachment at that point.
Almost ready to get ready

Attachments are an integral part of message files. The next step in getting ready is to separate them. You don't want your email client (Outlook Express?) to open the dubious attachment directly. When the client asks Windows to open the file, Windows will use the program that's registered to open that file type. You want to avoid that, because it's exactly the program that would activate any malicious content in that file type. We'll do that by saving them to our hard drive. Remember the myth that I debunked at the beginning?

Ready to get ready
  1. "Open" the message to gain access to the attachment. When the message opens, the link(s) to any attached file(s) will appear somewhere in the message window. The icon(s), and the file name(s) should appear as well.
     

  2. Mucho importante: Examine the file names, using the process to Unmask Exploitable Files. If the file still appears to be legitimate, return here and proceed to Step 4. If you discover a masquerade, close the message and delete it. If this is the first time you've tried this process you may need to change some system settings first. They're covered on that page as well.

  3. Right-click the icon(s). Do not choose "Open" Instead, choose "Save as...", and then save the file in a folder where you can find it again. Now you're ready to process the attachment the same way you would process any other file.  

Ready
  1. Proceed down the page to Validating files that you think you can trust, or to Inspecting files that you don't fully trust, depending on the status you assigned when you evaluated the message and its attachment.

Preparing to validate downloaded files

Attachments are not the only way that malicious files are spread. Executable files from questionable sources often contain hostile code. Malicious code can be embedded in exploitable files that you might download too -- digital music, images or videos. Infected files spread mainly through file sharing networks and tricky Web sites.

With that in mind...

  1. Make sure that you trust the source of any file that you download. That's the only remaining perimeter defense you have against hostile files you've accidently downloaded. Before you download a file, apply the source validation rules that are defined on the Download page. Then you'll be ready for the next big step -- working with the file (directly below).

  2. Mucho importante: When you download the file(s) examine the file name(s), using the process to Unmask Exploitable Files. If the file(s) appears to be legitimate, come back here and proceed to Step 3. If you uncover a dirty trick, delete the file(s). If this is the first time you've tried this process you may need to change some system settings first. They're covered on that page as well.

  3. Proceed down the page to Validating files that you think you can trust, or to Inspecting files that you don't fully trust, depending on the status you assigned when you evaluated the file.

Validating files that you think you can trust

These steps are precautions that the prudent cybernaut will want to take even for trusted files. Don't let the apparent validity of files tempt you to take shortcuts.
  1. First check: Do you know for sure that the file came from a source you absolutely trust? If not, go back and validate the source of file. The validation rules in Software Download will tell you how. If you are already sure, proceed to the second check below.
     
    This check applies doubly to attachments. Go back to Part 2, Handling attachments safely, if you haven't validated the source of the attachment. If you already made sure, proceed to the second check below.
     
  2. Second check: Have you determined that the file is what it claims to be? If you've already checked, proceed to Step 3. If not, go back and check the file. The information on the page titled Unmask Exploitable Files will help. You may end up discarding the file
      
  3. Continue: OK, you and the file have made it to here. Continue carefully, as outlined in the steps below, even if you now are sure you trust the file. If you don't fully trust the file at this point, skip down to the next section: Inspecting files that you don't fully trust.
     
  4. Scan all files for viruses before you open them -- no matter what the source.
     
  5. Scan all files for worms and other malware before you open them -- no matter what the source.
     
  6. If you have the software, scan all files for Trojans before you open them -- no matter what the source.
     
  7. This final step applies to a special situation. There's a lot happening to your machine when you install a program. Make sure you have a current backup of your documents and preferably your operating system before you install any software, downloaded or not. Otherwise, it will be way to late to back up when (not if) something goes horribly wrong.

Inspecting files that you don't fully trust

The secret to safely opening files that you don't trust is to control how they're opened instead of letting Windows doing it automagically. Windows will pick exactly the wrong program -- the one that is most likely to activate the hostile content. To avoid that, never double-click (or right-click & open) the file in your email client or Windows Explorer.

Our strategy will be to pick a program that will ignore any hostile content, and then use that program [via File > Open... in the menu] to open the file. These instructions apply only to the file types listed in the safe programs table. Never, ever open an executable file if you aren't already sure it is OK.

  1. Scan the file with your antivirus program, and if you have it, your anti-malware and anti-Trojan software. If it passes these tests, proceed to step 2.
  1. Pick a program from the list that you can open the file with safely. Open just the program first.
     
  2. Now, open the file, using the program's menu [Click File > Open... > Navigate to the file location > select the file > click "Open"].
  1. If the program does not (cannot) open the file, become very suspicious. You probably should jettison the file at this point. It's not worth the level of risk that's now evident.
     
  2. If the file opens, you may be able to read or copy some of the contents, view the image, hear the sound or whatever is relevant for that type of file. That still doesn't mean you can trust the file, but you now have more information to help you decide what to do next.
     
  3. Decide at this point if you want to investigate the file further. If not, delete the file (along with the message it came with if the file was an attachment). If you do go further, you're on your own dude.

Sandboxes

"Sandboxes" are another way to work more safely with attachments and downloaded files. I've had some experience with BlackICE, and it seemed to be quite watchful. If you really can't be bothered with the process outlined above, a sandbox is probably a good alternative. They would certainly provide a good safety net.

Some firewalls, antivirus programs, anti-malware programs and other special programs create a safe zone, often called a sandbox. When you open a file in a sandbox, the software keeps a close eye on what happens, and if it's questionable, the action is blocked. Some of the better ones actually create a "virtual computer" within your computer, which is disposed if any damage occurs. [Finjan] [BlackICE] [Tiny]

| 1. hazards of attachments | 2. handle attachments safely| 3. handling files safely |
"You wouldn't eat a sandwich that a stranger handed you on the street, eh?" -- Curmudgeon
club stuff
help
topics
computers
software
hardware
internet
security
overview
   lost? > index
attack vectors
   attachments
   deception
   email
   hackers
   web sites
   worms
defenses
   #  2  3
safe settings
   system
   browser
   email client
safe practices
   patching
   email
   attachments
   surfing
   file handling
defense tools
   malware
   antivirus
   anti-trojan
   firewalls
defense tests
privacy
resources