Get our Latest Finds
Subscribe to our RSS feed or enter your email address below to get the feed delivered to you by email:
Follow Gizmo
Using this Site
Top Rated
Gizmo's Freeware is Recruiting
We are currently looking for people with skills and/or interest in the following areas:
- Anonymous Surfing Service
- Mobile Apps contributors
- Mac Section contributors
If this sounds like you then click here for more details
How to Tell if a File is Malicious
These days the internet is awash with malware. You can never be certain that the file you just downloaded isn’t some malicious file pretending to be safe. In fact many malicious files are designed to do exactly this. They try to trick you into running them so that they can go about whatever nefarious purpose they were designed for. This article will explain how to tell the difference between a safe file and a dangerous one. Although this may seem like a very daunting task, I do promise that it’s not too difficult. These days there are many very sophisticated, and simple, online services that allow you to make sure a file is not malicious. One method is given in step 1. If you believe that the file is probably safe then make sure that you read that section first before you continue on to the second section. It may save you a lot of time.
Index
- Shortcut (If you believe the file is safe)
- Check File Using Comodo Valkyrie
- Check File Using VirusTotal
- Check File For Malicious Behavior
1. Shortcut (If you believe the file is safe)
If you believe that the file in question is probably safe then it may not be necessary to go through the rest of the steps. First upload the file to Comodo Valkyrie. This is a free service provided by Comodo that allows users to upload files up to 20MB to be analyzed almost instantly. After uploading the file look at the upper left corner. There is a part that says "SHA1". Please copy the entire string of letters and numbers that are next to it. Now go to Comodo File Intelligence and change the search box from "Search by Filename" to "Search by SHA1". Then post in what you copied and click "Search Now". Look at the information it provides. If it says that "The file is safe" then quickly look at the results from Comodo Valkyrie. If the Final Result from Comodo Valkyrie says that the file is Safe or Unknown then you can trust the file. You do not need to continue on to the rest of the steps. However, if Comodo Valkyrie says that the file is Malicious then you will want to continue to part 2 of this article.
If, however, the file is found to be something other than safe by Comodo File Intelligence, then you should submit the program, or individual file, to Comodo for analysis. Instructions for how to submit programs, or individual programs, can be found in this topic of the Comodo forums. Make sure that you read through the first post entirely. Do not post files directly. Only post download links for them if you are sure that the program is safe. Otherwise post links to the scanning results, as explained in the post. These submissions will be quickly analyzed by Comodo staff and, if appropriate, added to the whitelist. All you need to do is keep an eye out for Comodo's response in that same topic about whether your submission was whitelisted or not. In most cases this shouldn't take more than a few days for programs. However, individual files can take anywhere from a few days to a few weeks, depending on how much information you provide and how many other requests they are trying to fulfill. The requirements for a file, or program, to be whitelisted are strict. Thus if the file is whitelisted you can be absolutely sure that the file is safe.
However, in order to submit programs you do need to have an account on the Comodo forums. If you don't already have one then it's very easy to get one. There is an option to register on the top of any page on the Comodo forums. Reporting a file in this method will not only allow you to find out for certain if it's safe but it will also help to make every Comodo product more usable.
2. Check File Using Comodo Valkyrie
Comodo Valkyrie is a free service provided by Comodo that allows users to upload files up to 20MB to be analyzed almost instantly. The link for Comodo Valkyrie is given in the title for the section. Just go to the site and browse to the file you're investigating. Then upload the file. These files will be checked by multiple types of detection including static detection, behavioral anaysis, whether it is detected by Comodo Antivirus, and advanced heuristics .
Using these detectors this service is able to provide a prediction as to whether the file is “Normal”, “Unknown”, or “Malicious”. A verdict of “Normal” means that the file is safe. “Malicious” means that it’s dangerous. If the analysis finds the file to be “Unknown” this means that it’s not sure.
One way to use Valkyrie to assess a file is to submit it to Comodo staff for analysis. This method is also the most certain. At the top of the page it shows pictures of the analysts you can assign the file to. To do this first make sure that you have an account with Comodo Valkyrie, and are signed in. If you don't already have an account, then it's very easy to get one. Simply go to "Sign Up", choose a UserName, give them a valid email address, and enter a password. All of your information is completely safe and you will, of course, receive no spam.
After assiging the file to the analyst they will manually analyze it and present you with the verdict. If they say the file is "Normal" then you know for sure that the file is safe. If they find it to be "Unknown" or "Malicious" then I'd advise getting rid of the file. I wouldn't trust it. Having them manually analyze a file is the only way to be absolutely certain that it’s safe. This analysis should take less than 24 hours. If you do decide to have the file manually analyzed then you don't need to worry about any other methods discussed in the rest of the article. Just submit the file and wait for the results. However, if you want to find out more about the file, and aren't willing to wait for the manual verdict, then the rest of this article should be very useful for you.
If you decide not to wait for the analysis then you can also use this service to quickly get a lot of information about the file. After the file is analyzed the most important parts to look at are the "Auto Result" and the "Final Result". Both results are given at the top of the page. The "Auto Result" will give you the overall result from the static detection". The "Final Result" combigns the results from all types of detection to provide an overall prediction for the safety of the file. All services are discussed in greater detail below. If both of these give a verdict of normal then the file is probably safe. However, before looking at these overall results check the tabs for "Dynamic Detection and "Advanced Heuristics" tab to make sure that they have finished analyzing. This will take longer than the static detection. However, to get an even better idea if the file is truly safe then you will also want to look more closely at the individual results for each tab.
After the file is analyzed you will be presented with three different tabs of information. The first is called “Static Detection”. The tab shows the verdict of the 17 different AI detectors that checked the file. The individual verdict of these detectors is not important. Comodo uses a very sophisticated algorithm to determine the final verdict based on each of these detectors. What’s important is the overall result given at the bottom of the screen. This gives the automatic verdict in the box under where it says “Static Verdict Combination”. It also gives it's confidence under “Probability of Static Verdict”.
The other tab we will be looking at is called “Advanced Heuristics”. This examines the file with more sensitive algorithms. These are more likely to catch malware but are also more likely to incorrectly identify a file as “Unknown” or “Malicious”. Please keep this in mind when interpreting these results.
3. Check File Using VirusTotal
You can also find out whether any antiviruses (AV’s) detect it. One of the best sites for this is VirusTotal. A link to the service is given in the title of this section. This will scan any file you upload with over 40 different products and show the results separately for each one. You can upload files up to 32MB in size and the entire process should only take about a minute. This time largely depends on how long it takes to upload the file.
The most difficult part of using VirusTotal is interpreting the results. It can sometimes be difficult to tell from the results whether a file is likely to be dangerous. In general, if a significant number of scanners show a warning the file is likely to be dangerous. However, even if only a few detect it that does not necessarily mean that it is safe. Below are example findings for two files that are indeed malicious.
Using VirusTotal does have a few drawbacks. One of these is that it is certainly possible for malware to be so new that not a single antivirus yet detects it. Thus even if VirusTotal says that no AV detects a file it does not mean that it is not dangerous. I’ve seen this type of behavior on multiple occasions. A related problem is that malware is being created so quickly that antivirus companies are forced to use heuristic detections and generic signatures in an attempt to keep up with it. The problem with this approach is that these detection methods may incorrectly identify a legitimate file as malicious. This is know as a false positive. These types of mistakes do occur, and with increasing frequency. Thus, if only a few AV’s detect a file with heuristics, and the other AV’s do not, then this may be a false positive. However, this does not guarantee that it is. It's for reasons such as this that you should always check a file using all three methods discussed in this article. Below are example findings for legitimate files that are being incorrectly identified as dangerous by VirusTotal.
I want to be clear that even if only a single antivirus, or even none, detects a file as malicious then the file can still be dangerous. VirusTotal cannot be used to guarantee that a file is safe. However, if a very large number of antiviruses find the file to be malicious, then it likely is. This is the true strength of VirusTotal.
4. Check File For Malicious Behavior
In addition to the above methods you may also want to check the file for malicious behavior. There are many great services that can do this, but I have selected the two that I would most highly recommend. Do remember that legitimate files can be flagged as suspicious by them and that it’s also possible for malware to slip through undetected. In fact, some malware is even able to tell that it’s running in a virtual environment and thus refuse to run. It's for this reason, again, that it's best to use all three methods discussed in this article to analyze a file.
A) Use Comodo Instant Malware Analysis (CIMA)
A link to CIMA is given in the above title. The results of this service should be understandable by all types of users. You can upload files of any size to it and, after the upload is complete, it will immediately begin analyzing the file. The amount of time this takes is largely dependent on the size of the file and the complexity of its behavior. That said, in most cases it’s actually quite fast to analyze. I’d highly recommend using this service as it's very effective at recognizing suspicious behavior. Once the analysis is complete the results will be given at the end of the report.
The verdict may be “Suspicious”, “Suspicious+”, or “Suspicious++”. If the verdict is any of these then possibly malicious behavior was detected. It also gives the reasons it flagged it as such immediately below the verdict. “Suspicious++” indicates the most suspicious behavior.
If it instead says that the “Auto Analysis Verdict” is “Undetected” then it did not find any suspicious activity. This doesn't guarantee that it's not dangerous, but it does make it more likely that it's not. Thus if the above steps didn't find any malicious behavior, and neither did CIMA, then you can be relatively certain that the file is safe.
B) Use Anubis
More advanced users may also wish to use Anubis. The link to this service is given in the above title. This is another highly effective behavioral analysis service. However, uploading files often takes a very long time and the results are more difficult to interpret. That said, this service does provide a lot of information about the behavior of the file and will serve as a great second opinion to CIMA. If you're an advanced user then I'd also highly recommend checking files with Anubis.
If you believe this article deserves anything less than 5 stars, please leave a comment below explaining how you think it can be improved or where you find fault. This article is written by me but fueled by the community. Thus your opinions and advice are not only much appreciated, but necessary for this article to grow and improve.
If you found this article useful then perhaps you'd like to check out some of my others.
How to Know If Your Computer Is Infected
How to Clean An Infected Computer
How to Protect Your Online Privacy
How to Tell If A Website Is Dangerous
How to Install Comodo Firewall
This software category is maintained by volunteer editor Chiron. Registered members can contact the editor with any comments or suggestions they might have by clicking here.
- Article type:
Printer-friendly version
Comments
Chiron,
A most comprehensive article in language that was clear and easy for me as just a moderately competent user to follow.
Congratulations and thank you
Richard
Thank you.
Please let me know if there's anything else you would like to know.
Thank you, Chiron,
for updating this article,
ref: this important (and misunderstood) subject.
Very professional of you.
The truth is,
not even a combination of several test sites (above),
will assure 100% "peace of mind",
ref a d/l File.
But at least,
you pointed out some good, general guidelines
and evaluation suggestions.
I like your approach!.
SFdude
Thank you.
If you have any other ideas for improving my methodology please let me know. I'm always looking for ways to improve my articles.
Can anyone tell me what's the difference between 'http://camas.comodo.com/' and Valkyrie.
CIMA, also known as CAMAS, will only check a file to see if the behavior is suspicious. Comodo Valkyrie will check a file using many different techniques, including static detection and advanced heuristics. Another method that Valkyrie uses to assess a file is to actually run it through CIMA. Therefore Valkyrie is actually using CIMA as a tool.
I hope that makes sense. Here's a link to an example. If you look under the "Dynamic Detection" tab you'll see that it actually has the Camas Verdict.
https://valkyrie.comodo.com/Result.html?sha1=08d75748a2139e2d2dcac8e8a0b...
Thank you for this article. I am not sure if there is any other single source website that I can trust like this one.
Thank you very much. I really appreciate your kind words.
Please let me know if you have any questions.
Great article Chiron
I enjoyed reading it and following the steps outlined in your article. When I finished following the steps all it found was two unknown files. One is an online document sinking service and one is a Magic Iso, which I have used for years. Therefore, I know it is safe.
It was great doing the exercises as you never know what slips pass your defences. What I love most about the programs outlined is that they are portable. Over the last two years, I have tried to get more and more portable apps, as it does not mess with your system.
Just a note to all that help on the gizmo site. I have been reading his articles when he still had very few subscribers and no helpers. Over the years, I have read some awesome articles from this site. In addition, I cannot wait for the mail everyday as it gives me an excuse to take a time out.
Just to prove what a great job you folks are doing my pc’s are all now about 80% freeware. In addition, this site is my first port of call when it comes to pc related stuff. The only program that I can think of offhand that is not freeware on my pc is MS office as I use it daily and have not found a suitable replacement
Regards,
Herman Jooste
Well I don't think I'll find a better time to say this; I've been a member for 2 years (and 6 weeks) and I've come to use mostly freeware as well and also mostly portable (I use Find and Run Robot to launch them) - I feel as safe as I possibly could running a Windows OS.
I've come to appreciate the openness of this website's community almost as much as that of the open-source's one! I believe the only useful/interesting updates I get on facebook are from you. You're doing a great job, we are all thankful for that.
Thank you.
Please let me know if you have any questions.
Thank you for your kind words Herman which are very much appreciated :)
Other approach is analyzing the file yourself with a tool like Buster Sandbox Analyzer.
Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.
http://bsa.isoftware.nl/
I did look into this and it's a very remarkable tool. It's certainly very useful, but it does require other software to be installed.
I decided not to include it in this article because I'm trying to keep the methods constrained to online services.
Thanks.
Thank you for pointing this out. I'll look into it during my next rewrite.
Since I've been with Gizmo from the beginning and that since the Gizmo site has expanded and expanded - I've now got to the position where I'm very hesitant to d/l any s/w NOT recommended by yourselves - I think there has only been a couple of progs in the last 2 years and even then they were sandboxed and expanded - Thanks to all ......... Brilliant Site.
Thank you very much.
Please let me know if you have any questions.
Thank you for your kind words which are appreciated :)
http://anubis.iseclab.org/?action=home
Should be included in 2., because of more features (auxiliary files, URL, etc.)
Anubis is already referenced in part 2. It's under part C.
Avira sends this explanation for finding safe files harmful (false positives):
The file '__.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will not be removed due to the fact that the file does not belong to a regular piece of software. This software can be used for an evasion of security protections in several computer programs. In case AntiVir can detect this file we will not change or remove our detection.
Conclusion is, Avira will continue to find false positives of files it believes to be harmful to software vendors, not your computer.
Thank you for the feedback.
I've now changed my approach. Let me know what you think.
http://valkyrie.comodo.com/
How about this new service? I'm not sure how it works or where to put it though.
Good point. I'll include it in the next rewrite.
Good article, but your screenshots of virus checking results seem to indicate that those services don't update their AV programs very often!
Sorry, I couldn't help it, just had to post on that.
Thank you.
Don't forget Jotti that's pretty much the same as Virus Total:
http://virusscan.jotti.org/en
In fact I think Jotti came first, but I'm not sure. It may be that I just knew about it before I did VT.
Also, it is no longer "almost certain" that you will get good results when submitting samples to AV Labs. My biggest disappointment with Avira was not as much with their associations with Ask and Uniblue, but when they detected a file from Motive that was part of my ISP's DSL modem software as malicious, I submitted it to them and they still said it was malicious after analyses. Before submitting I had scanned it at Jotti and AntiVir was the only AV to flag it--plus online research from other sources like nueber.com and file.net made it pretty obvious it was a legit file. That was the final straw for me that caused me to uninstall AntiVir, which I loved for it's protection and configurability.
I've had the same experience with Avira Antivir - a legitimate file which I had used for years without trouble, submitted to them as a false positive - they denied it, and persisted maintaining it was a virus...
While it's true that sometimes an AV can have different criteria for evaluating whether a file is malicious, it's also true that most files classified as malicious are malicious.
Of course there are also plenty of examples to the contrary, but if you don't trust the results of an analysis you can always check out the file yourself using the other methods described in this article and add it to your exclusions list.
Thanks.
Thank you for your comment.
Yes, I agree that AV's get it right more often than they get it wrong, but as you've pointed out yourself you do always need to be aware of false positives. My point was that submitting potential false positives and suspicious files to AV's for analyses is usually a rock solid way of determining validity and that Avira's failure, combined with some other factors, caused me to lose faith and trust in them.
As stated, I DID use another of your methods mentioned in the article--scanning the file with Jotti, which is essentially the same as VirusTotal. In addition I used a method not mentioned in your article but that has been used for years at malware removal sites such as Geekstogo, the former TomCoyote site, Spywareinfo, Bleeping Computer and a whole host of others--namely using online research to look at sites with startup databases and other information on files that have been previously examined. There are pitfalls to that method--one must be very objective and use sound reasoning--which is why those sites all have schools that train you how to use this and other methods, but a great deal of malware has been removed just from determinations made via online research.
Because of the pitfalls, I don't recommend that you add that method to your article, but it can be a fast method for those of us with experience. A great tool to use for this method is the Malware Search extension for Firefox and now Chrome. https://addons.mozilla.org/en-US/firefox/addon/malware-search/
The most reliable source of information that this extension allows you to search is at SystemLookup:
http://www.systemlookup.com/
Great article tho and thanks. I have been out of malware removal for a few years now and didn't know about CIMA. It's great to have more good tools out there, even if they do have their own pitfalls that you have been so kind to point out.
Post new comment