Handling Files and Attachments Safely

Handling Files and Attachments Safely (Beta)

Basic principles

Executable files are obviously exploitable. Open "pamela.exe" and you're bound to have trouble. There's a much broader category of files that "exploitable", and it is growing. For example; image, music and video files were once perfectly safe. Attackers have now learned how to embed malicious content in these media file types. That changes the whole game.

Windows Media Player, RealOne, WinAmp, etc., are virtually an operating system within the Windows operating system. That means there's lots of power there to turn against you. For example, hostile content in MP3 files can enter through a flaw in older versions of WinAmp, and allow attackers to run any code they please on computers running the unpatched versions. [demonstration]

Unfortunately -- like email -- instant messaging, file sharing, web page scripts, etc., podcasts have enabled yet another vector, i.e., a way for bandits to attack your computer. For now, I'll point you to some information that Brian Livingston has about avoiding the threat.

The program you use -- browser -- email client -- media player -- Microsoft Word -- is what activates exploitable files. To work with them safely, you need to open exploitable files with safe programs. Not the one that Windows uses automagically. That's the program attackers will target.

Executable files on the other hand, "citekitty.exe" or "message.pif" for example, take action when you "open" the file. There is no waiting or program involved. If you double-click the file icon, right-click it and choose "open", or click "OK" when a dialog box opens, you PC is toast if the file is malicious.

PCWorld.com - Windows Tips: "The Safest Way to Run Suspicious Programs" -- good for that attachment you're just dying to run but don't completely trust.
http://www.pcworld.com/howto/article/0,aid,125187,00.asp#

Validating Attachments

"Check That File Safely" at PC Magazine is an illustrated version of these instructions. It is part of a very complete series of articles about online security.

Getting ready

Do you know for sure that the message and attachment came from a source you absolutely trust? If not, go back and validate the message. (You just may end up discarding the whole message at that point.)

Almost ready

Attachments are an integral part of email messages. You never want your email client (Outlook Express?) to open dubious attachments directly. That is the most likely way to activate malicious content. The next step in the process is to separate them. Then you'll have control of what happens.

"Open" the message to gain access to the attachment. Links or icons for the attached file(s) will appear somewhere in the message window.
Mucho importante: Examine the file names, using the Unmask Exploitable Files page. If the file still appears to be legitimate, return here and proceed to Step 4. If you discover a masquerade, close the message and delete it. If this is the first time you've tried this process you may need to change some system settings first. They're covered on that page as well.
"Right-click" the link(s) or icon(s). Do not choose "Open". Choose "Save as...", and save the file in a folder where you can find it again. Now you're ready to process the attachment.

Now you're ready

Proceed down the page to the next steps.

Validating files that you think you can trust

Several nice online scanning services are beginning to appear on the Web. I've noted a few that are reputable. They can help you make sure that you're not dealing with a malicious file or website.

These steps are precautions that the prudent cybernaut will take even for trusted files. Don't let the apparent validity of files tempt you to take shortcuts.

First check: Do you know for sure that the file came from an absolutely trustworthy source? If not, go back and validate the source of file. The validation rules in Software Download will tell you how. If you are already sure, proceed to the second check below. This first check applies doubly to attachments. Go back to Part 2, Handling attachments safely, if you haven't validated the source of the attachment.
Second check: Make sure the file is what it says it is. The information on the page titled Unmask Exploitable Files will help. You may end up discarding the file
Continue: OK, you and the file have made it here. Continue carefully, as outlined in the steps below. If you don't fully trust the file at this point, skip down to the next segment.
The following 3 steps are important, but do not offer the protection they once did.
Scan all files for viruses before you open them -- no matter what the source.
Scan all files for worms and other malware before you open them -- no matter what the source.
If you have the software, scan all files for Trojans before you open them -- no matter what the source.
This final step applies to installing a program. Make sure you have a current backup of your documents and preferably your operating system before you install any software, downloaded or not.

Inspecting files that you don't fully trust

Our strategy will be to pick a program that can't activate hostile content. These instructions apply only to file types listed in the safe programs table. Never, ever open an executable file if you aren't already sure it is OK.

Scan the file with your antivirus program, and if you have it, your anti-malware and anti-Trojan software. If it passes these tests, proceed to Step 2.
Pick a program from the list that you can use to open the file safely.
Open just the program first.
Now, open the file from the program [Click File > Open... (in the menu) > Navigate to the file location > select the file > click "Open"].
If the program does not (cannot) open the file, become very suspicious. You probably should jettison the file at this point. It's not worth the level of risk that's now evident.
If the file opens, you may be able to read or copy some of the contents, view the image, hear the sound or whatever is relevant for that type of file.
That still doesn't mean you can trust the file, but you now have more information to help you decide what to do next.
Decide you want to investigate the file further. If not, delete the file. If you want to go further, you're on your own Dude.

Sandboxes

"Sandboxes" are another way to work safely with attachments and downloaded files. I've had some experience with BlackICE, and it seemed to be quite watchful. If you really can't be bothered with the process outlined above, a sandbox is probably a good alternative. They would certainly provide a good safety net.

Some firewalls, antivirus programs, anti-malware programs and other special programs create a safe zone, often called a sandbox. When you open a file in a sandbox, the software keeps a close eye on what happens, and if it's questionable, the action is blocked. Some of the better ones actually create a "virtual computer" within your computer, which is disposable if any damage occurs. [Finjan] [BlackICE]

<<-- Email-Security Start Page

• map of security section

• attachment safety
• open files safely
• unmask malicious files

• email security start page
• how to read email safely
• how to read webmail safely
• the new face of deception
• malicious email tricks
• the perils of attachments
• malicious attachments
• how phishing works
• bogus email and websites
• reduce spam <> cut hazards
• public PC and WiFi security

"Would you eat a sandwich that a stranger handed you on the street, eh?" --Curmudgeon