Get our latest top picks
Subscribe to our Top Picks RSS Feed or enter your email address below to get the feed delivered to you by email:
|
Follow Gizmo |
 |
 |
 |
Register/Login
Top Rated
Gizmo's Freeware is Recruiting
We are looking for people with skills or interest in the following:
- Mobile Platform Reviews
- Rootkit Scanner and Remover
- Streaming Media Recorder
- Email Client
- Archive Manager Interested? Click here
How to Tell if a File is Malicious
These days the internet is awash with malware. You can never be certain that the file you just downloaded isn’t some malicious file pretending to be safe. In fact many malicious files are designed to do exactly this. This article will explain how to tell the difference between a safe file and a dangerous one. Although this may seem like a very daunting task, I do promise that it’s not too difficult. These days there are many very sophisticated, and simple, online services that allow you to make sure a file is not malicious. If you believe that the file is probably safe then make sure that you read section 1 first before you continue on. It may save you a lot of time.
Index
1. Check If File Is In Comodo's Whitelist
2. Check File Using Comodo Valkyrie
A) Use Valkyrie To Find Out For Sure If File Is Safe
B) Alternatively Interpret Automatic Analysis Results Yourself
3. Check File Using VirusTotal
4. Check File For Malicious Behavior
A) Use Comodo Instant Malware Analysis
B) Use Anubis
1. Check If File Is In Comodo's Whitelist
If you believe that the file in question is probably safe then it may not be necessary to go through the rest of the steps outlined in this article. First upload the file to Comodo Valkyrie. This is a free service provided by Comodo that allows users to upload files up to 20MB to be analyzed almost instantly. After uploading the file look at the upper left corner. There is a part that says "SHA1". Please copy the entire string of letters and numbers that are next to it. Now go to the page for Comodo File Intelligence .
We will be using this service to see if the file has already been verified to be safe and is already present in Comodo's huge whitelist of safe files. Once on that site change the search box from "Search by Filename" to "Search by SHA1". Then paste in the SHA1 and click "Search Now". Look at the information it provides. If it says that "The file is safe" then quickly look at the results from Comodo Valkyrie. If the Final Result from Comodo Valkyrie says that the file is Safe or Unknown then you can trust the file. You do not need to continue on to the rest of the steps. However, if Comodo Valkyrie says that the file is Malicious then you may want to continue to the second section to verify that the file is in fact not dangerous. It's almost certainly safe, but it shouldn't take too long to confirm that using a few more methods.
2. Check File Using Comodo Valkyrie
Comodo Valkyrie is a free service provided by Comodo that allows users to upload files up to 20MB to be analyzed almost instantly. This service can be found on this page. Just go to the site and browse to the file you're investigating. Then upload the file. These files will be checked by multiple types of detection including static detection, behavioral analysis, whether it is detected by Comodo Antivirus, and advanced heuristics.
Using these detectors this service is able to provide a prediction as to whether the file is “Normal”, “Unknown”, or “Malicious”. A verdict of “Normal” means that the file is safe. “Malicious” means that it’s dangerous. If the analysis finds the file to be “Unknown” this means that it’s not sure.
A) Use Valkyrie To Find Out For Sure If File Is Safe
Also, some files may have already been manually analyzed by Comodo staff. If it has been analyzed the staff will have assigned it a verdict of Normal, Unknown, or Malicious. If they find it to be "Unknown" or "Malicious" then I'd advise getting rid of the file. I wouldn't trust it.
By the way, having them manually analyze a file is the only way to be absolutely certain that it’s safe. Thus if you want to be certain about the file, and it has not already been analyzed, you can manually submit the file to Comodo staff for analysis. To do this first make sure that you have an account with Comodo Valkyrie, and are signed in. If you don't already have an account, then it's very easy to get one. Simply go to "Sign Up", choose a UserName, give them a valid email address, and enter a password. I would highly advise that you create an account. After logging in you will see that at the top of the page it shows pictures of the analysts you can assign the file to. You can choose any analyst to investigate the file. It doesn't really matter which you choose.
After assigning the file they will manually analyze it and present you with the verdict. The possible verdicts are already explained above. This analysis should often take less than 24 hours. If you do decide to have the file manually analyzed then you don't need to worry about any other methods discussed in the rest of the article. Just submit the file and wait for the results. However, if you want to find out more about the file, and aren't willing to wait for the manual verdict, then the rest of this article should be very useful for you.
B) Alternatively Interpret Automatic Analysis Results Yourself
If you decide not to wait for the analysis then you can also use this service to quickly get a lot of information about the file. After the file is analyzed the most important parts to look at are the "Auto Result" and the "Final Result". Both results are given at the top of the page. The "Auto Result" will give you the overall result from the static detection". The "Final Result" combines the results from all types of detection to provide an overall prediction for the safety of the file. All services are discussed in greater detail below. If both of these give a verdict of normal then the file is likely safe. However, before looking at these overall results check the tabs for "Dynamic Detection and "Advanced Heuristics" tab to make sure that they have finished analyzing. This will take longer than the static detection. However, to get an even better idea if the file is truly safe then you will also want to look more closely at the individual results for each tab.
Note that for some files the result will read "No PE File". Essentially, what this means is that for whatever reason Comodo Valkyrie is not able to analyze the file. Thus, if this is the result you receive I would recommend that you skip to the next section and continue to analyze the file using the alternate methods discussed in this article.
After the file is analyzed you will be presented with three different tabs of information. The first is called “Static Detection”. The tab shows the verdict of the 17 different AI detectors that checked the file. The individual verdict of these detectors is not important. Comodo uses a very sophisticated algorithm to determine the final verdict based on each of these detectors. What’s important is the overall result given at the bottom of the screen. This gives the automatic verdict in the box under where it says “Static Verdict Combination”. It also gives its confidence under “Probability of Static Verdict”.
The other tab we will be looking at is called “Advanced Heuristics”. This examines the file with more sensitive algorithms. These are more likely to catch malware but are also more likely to incorrectly identify a file as “Unknown” or “Malicious”. Please keep this in mind when interpreting these results.
3. Check File Using VirusTotal
You can also find out whether any antiviruses (AV’s) detect it. One of the best services for this is VirusTotal. It can be found on this page. This service will scan any file you upload with over 40 different products and show the results separately for each one. You can upload files up to 32MB in size and the entire process should only take about a minute.
By far the most difficult part of using VirusTotal is interpreting the results. It can sometimes be difficult to tell from the results whether a file is likely to be dangerous. In general, if a significant number of scanners show a warning the file is likely to be dangerous. However, even if only a few detect it that does not necessarily mean that it is safe. Below are example findings for two files that are indeed malicious.
Using VirusTotal does have a few drawbacks. One of these is that it is certainly possible for malware to be so new that not a single antivirus yet detects it. I have personally seen this on multiple occasions. Thus, even if VirusTotal shows that no AV detects a file it does not mean that it is not dangerous. A related problem is that malware is being created so quickly that antivirus companies are forced to use heuristic detections and generic signatures in an attempt to keep up with it. The problem with this approach is that these detection methods may incorrectly identify a legitimate file as malicious. This is known as a false positive. These types of mistakes do occur, and with increasing frequency.
Thus, if only a few AV’s detect a file with heuristics, and the other AV’s do not, then this may be a false positive. However, this does not guarantee that it is. It's for reasons such as this that you should always check a file using all three methods discussed in this article. Below are example findings for legitimate files that are being incorrectly identified as dangerous by VirusTotal.
I want to be clear that even if only a single antivirus, or even none, detects a file as malicious then the file can still be dangerous. VirusTotal cannot be used to guarantee that a file is safe. However, if a very large number of antiviruses find the file to be malicious, then it likely is. This is the true strength of VirusTotal.
4. Check File For Malicious Behavior
In addition to the above methods you may also want to check the file for malicious behavior. There are many great services that can do this, but I have selected the two that I would most highly recommend. Do remember that legitimate files can be flagged as suspicious by them and that it’s also possible for malware to slip through undetected. In fact, some malware is even able to tell that it’s running in a virtual environment and thus refuse to run. It's for this reason, again, that it's best to use all three methods discussed in this article to analyze a file.
A) Use Comodo Instant Malware Analysis
Comodo Instant Malware Analysis (CIMA) can be found on this page. I believe that the results of this service should be understandable by all users. You can upload files of any size to it and, after the upload is complete, it will immediately begin analyzing the file. The amount of time this takes is largely dependent on the size of the file and the complexity of its behavior. That said, in most cases it’s actually quite fast to analyze. I’d highly recommend using this service as it's very effective at recognizing suspicious behavior. Once the analysis is complete the results will be given at the end of the report.
The verdict may be “Suspicious”, “Suspicious+”, or “Suspicious++”. If the verdict is any of these this means that possibly malicious behavior was detected. It also gives the reasons it flagged it as such immediately below the verdict. “Suspicious++” indicates the most suspicious behavior.
If it instead says that the “Auto Analysis Verdict” is “Undetected” then it did not find any suspicious activity. This doesn't guarantee that it's not dangerous, but it does make it more likely that it's not. Thus if the above steps didn't find any malicious behavior, and neither did CIMA, then you can be relatively certain that the file is safe.
More advanced users may also wish to use Anubis. This service can be found on this page. This is another highly effective behavioral analysis service. However, uploading files sometimes takes a very long time and the results are more difficult to interpret. That said, this service does provide a lot of information about the behavior of the file and will serve as a great second opinion to CIMA. If you're an advanced user I would highly recommend also checking the behavior of files with Anubis.
5. Report Dangerous Files
If your analysis shows that a particular file is dangerous I would recommend that you submit it to as many anti-malware vendors as possible. The easiest way to do this is to follow the advice I give in my article about How to Report Malware or False Positives to Multiple Antivirus Vendors. By following the steps outlined you can help prevent anyone else from being infected with that piece of malware.
Please help by rating this article. Also, if you believe this article deserves anything less than 5 stars, please leave a comment below explaining how you think it can be improved or where you find fault. This article is written by me but fueled by the community. Thus your opinions and advice are not only much appreciated, but actually necessary in order for this article to grow and improve.
If you found this article useful then perhaps you'd like to check out some of my others.
How to Clean An Infected Computer
How to Fix a Malware Infected Computer
How to Harden Your Browser Against Malware and Privacy Concerns
How to Install Comodo Firewall
How to Know If Your Computer Is Infected
How to Protect Your Online Privacy
How to Report Dangerous Websites
How to Report Malware or False Positives to Multiple Antivirus Vendors
How to Tell If A Website Is Dangerous
This software category is maintained by volunteer editor Chiron. Registered members can contact the editor with any comments or suggestions they might have by clicking here.
- Article type:
- Login or register to post comments
Printer-friendly version
Comments
Article good. Av uploaded a file for safety determination. However, what do results "NO PE FILE" mean.
Thank you for pointing this out. I have updated the article to explain what that result means.
Essentially, what this means is that for whatever reason Comodo Valkyrie is not able to analyze the file. Thus, if this is the result you receive I would recommend that you skip to the following sections and continue to analyze the file using the alternate methods discussed in the article.
You guys ROCK!
I've found far too many self proclaimed puter heads out there who really don't know diddly squat about what they are talking about, yet they try and spread their flower food as the real deal. While I know just enough about computers to "usually" get it out of a jam most of the time, it is a;ways by trial and error and a whole lotta luck that I am able to accomplish that. You guys on the other hand really know what you are doing, and that's refreshing!
Thank you. We really appreciate it.
Please let me know if you have any questions.
Thanks.
Rather than uploading 20 MB files just to get the SHA1 signature, wouldn't it be easier to run a SHA1 hash generator on the file locally? There's a bazillion of suitable programs; see the "Best Free Hash Utility" article.
I like VirusTotal, but every time I've used it, it turns out that the file I've submitted already exists in their database – so it's good to know that someone's come up with a service that lets you just upload the SHA1 youself.
Yes, of course you can use any SHA1 hash generator to get the hash instead of uploading it. There are many ways to go about that task.
The only reason I suggested that people upload it is because I believe that often they will find that the file is not yet trusted and have to upload it anyway. Thus I was trying to save time for the majority of the users following this article.
In section #1, your https link to Comodo Valkyrie got me an error message, but changing to http worked OK.
In section #2, you give a slightly different http link to Comodo Valkyrie.
At first it was confusing to see different URLs for what seemed to be described as the same Comodo Valkyrie service, but fortunately both http links lead to the same File Verdict Service.
Thank you for pointing this out. They had moved the service to a different page, and apparently I forgot to change one of the links.
very well written, thanks for all the good info. Bookmarked :)
Thank you.
Please let me know if you have any questions.
I've updated the article.
Please let me know what you think?
Chiron,
A most comprehensive article in language that was clear and easy for me as just a moderately competent user to follow.
Congratulations and thank you
Richard
Thank you.
Please let me know if there's anything else you would like to know.
Thank you, Chiron,
for updating this article,
ref: this important (and misunderstood) subject.
Very professional of you.
The truth is,
not even a combination of several test sites (above),
will assure 100% "peace of mind",
ref a d/l File.
But at least,
you pointed out some good, general guidelines
and evaluation suggestions.
I like your approach!.
SFdude
Thank you.
If you have any other ideas for improving my methodology please let me know. I'm always looking for ways to improve my articles.
Can anyone tell me what's the difference between 'http://camas.comodo.com/' and Valkyrie.
CIMA, also known as CAMAS, will only check a file to see if the behavior is suspicious. Comodo Valkyrie will check a file using many different techniques, including static detection and advanced heuristics. Another method that Valkyrie uses to assess a file is to actually run it through CIMA. Therefore Valkyrie is actually using CIMA as a tool.
I hope that makes sense. Here's a link to an example. If you look under the "Dynamic Detection" tab you'll see that it actually has the Camas Verdict.
https://valkyrie.comodo.com/Result.html?sha1=08d75748a2139e2d2dcac8e8a0b...
Thank you for this article. I am not sure if there is any other single source website that I can trust like this one.
Thank you very much. I really appreciate your kind words.
Please let me know if you have any questions.
Great article Chiron
I enjoyed reading it and following the steps outlined in your article. When I finished following the steps all it found was two unknown files. One is an online document sinking service and one is a Magic Iso, which I have used for years. Therefore, I know it is safe.
It was great doing the exercises as you never know what slips pass your defences. What I love most about the programs outlined is that they are portable. Over the last two years, I have tried to get more and more portable apps, as it does not mess with your system.
Just a note to all that help on the gizmo site. I have been reading his articles when he still had very few subscribers and no helpers. Over the years, I have read some awesome articles from this site. In addition, I cannot wait for the mail everyday as it gives me an excuse to take a time out.
Just to prove what a great job you folks are doing my pc’s are all now about 80% freeware. In addition, this site is my first port of call when it comes to pc related stuff. The only program that I can think of offhand that is not freeware on my pc is MS office as I use it daily and have not found a suitable replacement
Regards,
Herman Jooste
Well I don't think I'll find a better time to say this; I've been a member for 2 years (and 6 weeks) and I've come to use mostly freeware as well and also mostly portable (I use Find and Run Robot to launch them) - I feel as safe as I possibly could running a Windows OS.
I've come to appreciate the openness of this website's community almost as much as that of the open-source's one! I believe the only useful/interesting updates I get on facebook are from you. You're doing a great job, we are all thankful for that.
Thank you.
Please let me know if you have any questions.
Thank you for your kind words Herman which are very much appreciated :)
Other approach is analyzing the file yourself with a tool like Buster Sandbox Analyzer.
Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.
http://bsa.isoftware.nl/
I did look into this and it's a very remarkable tool. It's certainly very useful, but it does require other software to be installed.
I decided not to include it in this article because I'm trying to keep the methods constrained to online services.
Thanks.
Thank you for pointing this out. I'll look into it during my next rewrite.
Since I've been with Gizmo from the beginning and that since the Gizmo site has expanded and expanded - I've now got to the position where I'm very hesitant to d/l any s/w NOT recommended by yourselves - I think there has only been a couple of progs in the last 2 years and even then they were sandboxed and expanded - Thanks to all ......... Brilliant Site.
Thank you very much.
Please let me know if you have any questions.
Thank you for your kind words which are appreciated :)
http://anubis.iseclab.org/?action=home
Should be included in 2., because of more features (auxiliary files, URL, etc.)