Updated: January 10, 2009
You probably ask yourselves what kind of tutorial this is. Well, depending on your needs and habits, it is quite likely that you will never need or want to use the advice given here.
But imagine the following scenario. You get a file from a "friend." You're not really sure about this file. Still, you want to see what it is. But you're not quite familiar with the format. And you are very much aware and afraid of viruses and other infections. You had friends go through these ordeals all too often, and you do not wish to be one of them.
But you really, really itch to see what the file is. And you have this friend, who's somewhat security conscious, and he told you that you shouldn't. You are faced with a situation where you will base a decision on your ability to ascertain whether the file you're about to double-click on is: a) executable b) malicious. Usually, the two will overlap. Files that do not run will not harm anybody just by sitting there. Therefore, it is important for you to know exactly and precisely if the file your friend sent you is some sort of disguised malware.
This tutorial is meant to educate Windows user how to determine the true identity of suspicious files. Most of the stuff mentioned here has already been covered in another article about Windows security: Safe Web practices - How to remain safe on the Internet, but you may want to read anyway.
If someone sends you a file claiming to be A and it turns out to be B - don't run it. As simple as that. Either the sender does not know what they're talking about - or worse, they know.
Being able to know what you're facing allows you to prepare yourself properly. If the file you're about to click is just a text file, your strategy warrants a different approach than if the file is an executable ...
You all know what .doc, .pdf and .exe files are. But have you ever heard of .wmf, .pif, .lnk, .obz, .ocx files? What are they? Are they executable? Can they actually run and harm the computer?
There are tens of executable types for Windows (more than 80, to say the least). It is impossible to remember them all by heart. Nor should you. Instead, you should let software do the hard work for you. There are several things that you should do whenever inspecting a suspicious file. Let us review them.
File extensions are unreliable
Windows classifies files by their extension - as simple and as dangerously as that. This means that the operating system and installed applications will be invoked any time a file with the relevant file extension is run, regardless of the actual file type.
For example, take an .exe file and change the extension to .html. If you double click it, your browser will try to open it. Crazy, eh? This tells you that you should never judge files by their extension. Forget what Windows tells you by displaying visual clues in the Windows Explorer. Worse yet, Windows hides the file extensions by default, making the guessing game all the more tricky. Here's an example: The extension is hidden, we think we have a .doc file.
The extension is shown, the file is in fact an executable!
Therefore, you should make sure Windows does not hide extensions from you.
In Windows Explorer, click Tools > Folder Options, View tab.
The options you should select:
- Check the Show hidden files and folders radio button.
- Uncheck Hide extensions for known file types.
- Consider unchecking Hide protected operating system files (Recommended).
The last option is meant for power users, because you may accidentally delete critical system files if they are visible in the Windows Explorer. However, when dealing with files sent by other people, especially archives containing several items, it is wise to be able to see everything. You may consider temporarily disabling and enabling this option as the need arises.
Long file names
Long file names are another problem. If the file name is just too long to fit into the view of the Windows Explorer, you might not notice its real extension, even if you have the option Hide extensions for known file types unchecked (see above).
Here's another example: We have a file called File with a very long name.txt. We have the extensions visible, so on the first glance everything looks OK. We think it's a text file. However, you may (or may not) notice the three dots (...) at the end of the Name column. This means the file name is long and does not fit into the select column width.
If we expand, we get:
Aha! So we have an executable file, with the name padded with lots of empty spaces! Most people would not notice this and fall for it. The truth is, the file is just an empty placeholder, with .txt and .exe extensions added.
This means that we CANNOT visually trust Windows to tell us what the file type is, whether it is masked as a different file type and whether it is executable and could potentially harm us if run. Solution? Use a dedicated utility capable of detecting file types.
Use dedicated file type utility
The most sensible choice I can recommend is the Windows port of the GNU/Linux utility called file. This command can examine file types based on a number of smart criteria. You can find the file at the Fine Free File Command and File for Windows.
If you are interested to learn more about the file command functionality and advanced options, please refer to the Linux man page for file. The only downside is that the utility requires some use of the command line. Nevertheless, it works great. Here's how it works on a file with its genuine extension set (.exe):
Here's how it works with a file pretending to be something else (.exe changed to .doc):
And here's a zoom-in:
You now have the tools required to make a good assessment of the situation facing you. This does not guarantee that you will not accidentally cause damage to your computer by running a file you deemed safe.
Indeed, make no mistake! The idea of this tutorial was not to teach you how to salvage, mitigate or intercept infections - or even how to use this or that application when handling suspicious files. The idea of this tutorial focuses on the execution itself: properly decide whether the file is what you expected and what was promised. If so (or not), make the correct call whether to run the file. After that, it's another story - and another article. For now, enjoy your new tool.