Quickly determine if a file is a malicious file

When you use a computer, you will often encounter some less trustworthy files, such as cracked version of the game or software, count number and registration machine, small software, online shopping when the other party to the file, these things may contain viruses Trojan or will have to modify IE settings, such as rogue behavior; Open these files is not safe, not open not comfortable; There are some ways to determine if the file is safe.

First, view file properties

1. Judge by filename

Viewing file properties can be said to be the simplest and quickest method. This method, only those disguised as normal files virus Trojan is effective, and this type of virus in the online shopping and U disk. The most typical of these is the dual suffix and Unicode inversion technology, for example, a file named "photo. Gif.exe" or "Cargo exe.jpg", which can be almost certainly problematic.

This type of file is for users who do not have the "hide known file extensions" in Folder Options removed. This type of user can only see "photo. gif" When they receive "photo. Gif.exe", and it is easy to mistake this as a picture file with a suffix named gif, and opening such a file can almost certainly cause problems. Of course, QQ and Wang Wang seemingly will be forced to rename the executable file, a large case to avoid the occurrence of such incidents; the latter is mainly for those who are not careful of users, such users see unfamiliar files often do not seriously look at file properties, the results will often be "cargo exe.jpg" This kind of file is mistaken for the suffix name jpg picture file, but actually is the executable file, after running certainly again tragedy.

The main thing here is to cancel the "hide known file extensions" method as follows:

Click the Start Menu-> Control Panel-> Folder Options, and then set the following figure,

Of course, there is not much to worry about when there are no extensions to the executable file in the double suffix and Unicode inversion. The executable file extensions include EXE, BAT, COM, MSI, and so on. In addition, CAD files, Office files, PDF files, etc. also need attention, because these files are likely to infect viruses, such as CAD viruses, macro viruses, and so on, when you open a file with these viruses, the computer may cause normal CAD files and Office files damaged, if possible, Try to use the latest genuine software to open such files or to consider the installation can prevent CAD virus or macro virus anti-virus software, such as 360, and PDF file as long as the latest official version of the Adobe Reader, Foxit Reader, and so on is OK.

In addition to the double suffix and Unicode inversion, some special file name files also need attention, such as too simple file name, such as 1.exe, D.exe, and so on, and the system file or name of the software is very similar to the names of files, such as ExpIore.exe, QQDown1oad.exe, etc. Files that look like URLs, such as wenwen.soso.com, www.baidu.com, and so on, and don't open the file with the extension door, such as HTA, PIF, VBS, and so on.

2, through the digital signature judgment

The digital signature on the program identifies the manufacturer of the program, which is used primarily to verify the integrity of the software and whether it has been modified since it was released. The software produced by the formal company has a valid digital signature.

If you claim to be a regular company, or if the software name or filename is a well-known software, but there is no valid digital signature, then you can be sure that the software is counterfeit. Where the digital signature is not valid software is more suspicious than the software without digital signature, because the digital signature is not valid in the attribute can not see directly, it is easy to misunderstand it is a formal company software. It is important to note that most cracked software and third-party modified software are not digitally signed, which is dangerous because it is not possible to verify that it has been modified since it was published.

The following is how digital signatures are validated (for example, take pride 3):

(1), in the 3 main program (Maxthon.exe) on the right click, select Properties in the pop-up menu, click the Digital Signature tab in the Properties window:

2. Select the signature in the Digital Signature tab and click Details to view the details of the certificate:

In this case, special attention needs to be paid to see if the digital signature is valid, the digital signature is valid, the software is trustworthy, the digital signature is invalid, the software is suspicious, and the issuer, if the issuer is obscure, also needs attention. A few of the more common are: COMODO, VeriSign, Microsoft, and so on.

Second, based on the results of the multi-engine scan site to judge:

This is another quick way to judge whether a file is a virus Trojan.

Multi-engine scanning website uses the website server to kill the soft engine, the user uploads the file to carry on the scanning, obtains the scanning result. With this result, it is sometimes possible to quickly determine whether a file is a virus.

Take http://virscan.org/as an example, the site allows users to upload files less than 20M to scan, and if the file is a compressed package, the number of files in the compressed package must not be more than 20. The site uses small red umbrella, AVG, Avast, bit Vatican, Spider, Kaspersky, Jiangmin, Rising, Jinshan, McAfee, Norton, ESET nod32, Panda and other 30 anti-virus software to meet the requirements of the files scanned, and the results to inform the user.

Generally speaking, when a file, all anti-virus software engine reported poison, or the previous paragraph mentioned several anti-virus software are reported poison, it is almost certain that the file is a malicious file, open can cause computer problems. If all antivirus software is not reported, and the file has been on the network for some time, the file is almost impossible to be malicious software.

Of course more of the situation is that some anti-virus software reported poison, some do not report poison, this time need to antivirus software and virus name to carry on the comprehensive view, famous anti-virus software, especially in Av-test, Av-c test in the false report less of the soft poison generally can be determined that the document is indeed problematic. In addition, virus names tend to have the reason to kill soft to determine the file is a malicious file, for example: backdoor means the back door, that is, software authors may bypass security control and gain access to the program or system; Spy, Trojan as spyware, That is, the software author may use this software to secretly collect user information without the user's permission. Malware is a virus that can infect and damage computers; Win32 generally seen in the name of the virus; Generic on behalf of the file is a heuristic scan engine (this type of report of the highest likelihood of false positives), etc., can be detailed in the software official online query.

Third, according to the online automatic analysis system judgment

Even through the first two ways, there are still a large number of files can not be judged to be normal files or Trojans. At this time you can use the Sand table (sandbox), virtual machines, have prepared the rules of the hips software to determine whether it is a virus trojan, but as a result of these judgement samples have greater difficulty, at the same time the sand box has the danger of sand leakage, hips rules may have loopholes. So here is a less used but safer, more straightforward approach--online sandbox (some are called online automated analysis systems, etc.). At present, only Jinshan eye and Comodo Instant Malware analysis are open to the public, because Jinshan eyes need the invitation code, so this only introduces Comodo that.

The address of the Comodo Instant Malware analysis is: http://camas.comodo.com, which automatically runs the file uploaded by the user and records the behavior of the file, including file and folder creation, deletion, modification, registry key and key value creation, Delete, modify, drive load, unload, load module, API call, visit URL and DNS modification, and finally draw the conclusion (Verdict). The dangerous behavior and the final result will be marked red.

We only need to pay attention to the red part, especially the conclusion, which is "Verdict" in Comodo Instant Malware analysis.

If the file is not secure, "Verdict" The value is "suspicious", which represents the file is suspicious, that is, the file carried out some only virus Trojan will do the operation, if the file is dangerous, the back will bring a + number, then the file can almost certainly be virus Trojan. Even without the + number, files of that type are dangerous and do not recommend running that type of file.

The second result is "undetected", that is, no suspicious behavior detected, that is, all the behavior of the software is normal, this type of file is not a virus, you can safely run.

The third result is "unexecutable", that is, the file can not be run alone, if it is a single file, you may rest assured.

Iv. Other methods

In addition to the above methods, there are also some methods, such as the use of reputable cloud function software to check, such as Kaspersky KSN, Norton's File intelligence analysis, 360 of the 360 Lightning Cloud appraiser, and so on, generally speaking, these are security (temporary risk-free, good, etc.) documents and the number of users, Files that have been posted for a long time are almost certainly safe.

The above methods are some simple method, several combine to appear misjudged, angered the possibility is small, but still possible. The most reliable way is to give you use of anti-virus vendors through e-mail, phone calls and other means to request technical support, of course, if you are using free anti-virus software, it can only be to kill soft official forum post, request official identification. Genuine users to send e-mail, at most a day will have results, usually in the receipt of a few minutes after the message has received the message, in 10 hours to inform the identification of suspicious documents, if it can be repaired files, will be repaired after the file sent to you; Generally through the QQ and so on remote Assistance. Free anti-virus software post for help, the general will be within one or two hours to get the official reply, but the identification of the sample time is hard to say, fast one day, slow on the news.