Purpose of this page
Outline a straightforward process
help you decide if you're going
to open a
file or not. The file could be
an email attachment,
a file you've downloaded, or
any other file.
In addition show how to do it
your machine or your private
if you decided wrong.
False: If you download a file that contains
a virus or worm to your hard drive, it will
damage your computer.
Truth: No, not really. It's a hazardous situation,
but nothing will ever happen unless the file
is activated. The file must be accessed in a particular way to activate the hostile code. If the file
is never accessed in that specific way the
hostile code will just sit there quietly
on your hard drive. Keep that fact in mind as we proceed.
There are three file useful categories --
and "Inactive" -- when you're working
in a security context. Either of the first
two can easily contain hostile code. They
can have "active" content, meaning
that Windows will enable whatever action
they're designed to take. Obviously the action
could be hostile and that's why it's so important
to handle them in a safe manner.
However, there's now a fine line between
inactive and exploitable files. For example,
digital picture, music and video files have
generally been considered safe. However,
it's possible to embed malicious content
in these media file types. That changes the
The enabling element is powerful media software
-- Windows Media Player, RealOne, WinAmp,
etc. They're virtually an operating system
within the Windows operating system. That
means there's lots of power there to exploit.
For example, hostile content in MP3 files can enter through a flaw in older versions
of WinAmp, and allow attackers to run any
code they please on computers running the
unpatched versions. [demonstration]
So it's really the programs you use -- your
browser, email client, media player, Word,
etc. -- that determine if a file could be
hazardous. If you insist on working with
files that could have malicious content,
you need to find ways to open them that won't
activate malicious content. One way is to
use an alternative program to open the file
-- something other than the "registered"
one that Windows uses automagically -- because
that's the one the attackers will target.
What activates malicious content? If it's
an executable file, for example, "badnews.exe"
or "nasty.pif", the malicious action
will take place when you "open"
the file. If you double-click the file icon,
right-click it and choose "open",
or if you click "OK" when a dialog
box asks if it's OK to open the file, it's
immediately executed and the damage is done.
Safe file handling -- validate files
Preparing to validate attachments
Getting ready to get ready
Almost ready to get ready
- Do you know for sure that the message and attachment came from
a source you absolutely trust? If not, go back and validate the message
per Part 2, Handling attachments safely. You may end up discarding the message with
its attachment at that point.
Attachments are an integral part of message
files. The next step in getting ready is
to separate them. You don't want your email
client (Outlook Express?) to open the dubious
attachment directly. When the client asks
Windows to open the file, Windows will use
the program that's registered to open that
file type. You want to avoid that, because
it's exactly the program that would activate
any malicious content in that file type.
We'll do that by saving them to our hard
drive. Remember the myth that I debunked at the
Ready to get ready
- "Open" the message to gain access to the attachment. When the
message opens, the link(s)
to any attached
file(s) will appear somewhere
in the message
window. The icon(s), and the
should appear as well.
Mucho importante: Examine the file names,
using the process to Unmask Exploitable Files. If the file still appears to be legitimate,
return here and proceed to Step 4. If you
discover a masquerade, close the message
and delete it. If this is the first time you've tried this
process you may need to change some system
settings first. They're covered on that page
Right-click the icon(s). Do not choose "Open" Instead, choose
"Save as...", and then save the file in a folder
where you can find it again. Now you're ready
to process the attachment the same way you
would process any other file.
- Proceed down the page to Validating files that you think you can trust, or to Inspecting files that you don't fully trust, depending on the status you assigned when
you evaluated the message and its attachment.
Preparing to validate downloaded files
Attachments are not the only way that malicious
files are spread. Executable files from questionable
sources often contain hostile code. Malicious
code can be embedded in exploitable files
that you might download too -- digital music,
images or videos. Infected files spread mainly through file
sharing networks and tricky Web sites.
With that in mind...
Make sure that you trust the source of any file that you download. That's the
only remaining perimeter defense you have against hostile files you've accidently
downloaded. Before you download a file, apply
the source validation rules that are defined on the Download page. Then
you'll be ready for the next big step --
working with the file (directly below).
Mucho importante: When you download the file(s)
examine the file name(s), using the process
to Unmask Exploitable Files. If the file(s) appears to be legitimate,
come back here and proceed to Step 3. If
you uncover a dirty trick, delete the file(s).
If this is the first time you've tried this
process you may need to change some system
settings first. They're covered on that page
Proceed down the page to Validating files that you think you can trust, or to Inspecting files that you don't fully trust, depending on the status you assigned when
you evaluated the file.
Validating files that you think you can trust
These steps are precautions that the prudent
cybernaut will want to take even for trusted
files. Don't let the apparent validity of files tempt you to take shortcuts.
- First check: Do you know for sure that the file came from a source you absolutely trust? If not, go back and validate the source
of file. The validation rules in Software Download will tell you how. If you are already sure, proceed to the second
This check applies doubly to attachments.
Go back to Part 2, Handling attachments safely, if you haven't validated the source of
the attachment. If you already made sure, proceed to the
second check below.
- Second check: Have you determined that the file is what
it claims to be? If you've already checked,
proceed to Step 3. If not, go back and check
the file. The information on the page titled
Unmask Exploitable Files will help. You may end up discarding the
- Continue: OK, you and the file have made it to here.
Continue carefully, as outlined in the steps
below, even if you now are sure you trust
the file. If you don't fully trust the file at this
point, skip down to the next section: Inspecting files that you don't fully trust.
- Scan all files for viruses before you open them -- no matter what the
- Scan all files for worms and other malware before you open them -- no matter what the
- If you have the software, scan all files for Trojans before you open them -- no matter what the
- This final step applies to a special situation.
There's a lot happening to your machine when
you install a program. Make sure you have
a current backup of your documents and preferably your operating system before you install any software, downloaded or not. Otherwise, it will be way to late to back
up when (not if) something goes horribly
Inspecting files that you don't fully trust
The secret to safely opening files that you
don't trust is to control how they're opened
instead of letting Windows doing it automagically.
Windows will pick exactly the wrong program
-- the one that is most likely to activate
the hostile content. To avoid that, never
double-click (or right-click & open)
the file in your email client or Windows
Our strategy will be to pick a program that
will ignore any hostile content, and then
use that program [via File > Open... in
the menu] to open the file. These instructions
apply only to the file types listed in the safe programs table. Never, ever open an executable file if you aren't already sure it is OK.
- Scan the file with your antivirus program,
and if you have it, your anti-malware and
anti-Trojan software. If it passes these
tests, proceed to step 2.
- Pick a program from the list that you can open the file with safely. Open just the program first.
- Now, open the file, using the program's menu [Click File > Open... > Navigate to
the file location > select the file >
"Sandboxes" are another
work more safely with attachments
files. I've had some experience
and it seemed to be quite watchful.
really can't be bothered with
outlined above, a sandbox is
probably a good
alternative. They would certainly
a good safety net.
- If the program does not (cannot) open the
file, become very suspicious. You probably should jettison
the file at this point. It's
not worth the
level of risk that's now evident.
- If the file opens, you may be able to read
or copy some of the contents, view the image,
hear the sound or whatever is relevant for
that type of file. That still doesn't mean you can trust the
file, but you now have more information to
help you decide what to do next.
- Decide at this point if you want to investigate
the file further. If not, delete the file
(along with the message it came with if the
file was an attachment). If you do go further, you're on your own
Some firewalls, antivirus programs, anti-malware
programs and other special programs create
a safe zone, often called a sandbox. When
you open a file in a sandbox, the software
keeps a close eye on what happens, and if
it's questionable, the action is blocked.
Some of the better ones actually create a
"virtual computer" within your
computer, which is disposed if any damage
occurs. [Finjan] [BlackICE] [Tiny]