Handling potentially infected files

This is going to be my first post here, so I hope it’s a good one.

Ive come across a file approx. 30gb in size that is supposed to be chalk full of ebooks and schematics for hardware (think macbook schematics in PDF and board view form for repairs). I downloaded it Using a Linux VM and have scanned it with clam AV, which found no threats. To be more on the safe side I was also wanting to move it into a windows VM and let it get scanned with some windows AV as well and check it over for anything fishy. This has me asking a few questions:

  1. Is clam AV any good?

  2. If it is, will it find a windows malware signature?

  3. Can you move potentially infected files?

  4. Do I even need to move them? Is there another linux tool that can handle this?

  5. How do security professionals normally approach these scenarios?

While I do have a specific scenario on my hands, I am interested in discussing the overall methodology on this topic. Can you zip potentially or known infected files to keep them from running between A and B before they’re sand-boxed? Is there another way of containing or otherwise rendering the files useless temporarily? One thought I had was to break the file extensions, make any .PDF into .OLD so that way the files wouldn’t have a clear way to be opened or interacted with. If you cant tell by this point I really have a minimal understanding how malware works. Can an infected file simply by existing on your computer, infect your computer? How common is highly infectious malware? For the purposes of experimentation and better understanding I’d be interested in trying some professional tools and techniques to complete this task.

It is ok, and is really the only free option on linux.

It does, primarily it is an email scanner, but it also checks files, and pretty much only check for windows malware since Linux malware is so rare. I use it on my Linux file server as a backup check for windows installers.

That only stumps windows, and only in some cases. With Linux, you can try to execute pretty much anything that has the correct permissions regardless of file extension.


If you are concerned about moving the file, set up a file share with samba on the Linux VM, connect to it from the other VM, then access the file directly in windows. It will be incredibly slow, but keep the file in the VMs.

If you suspect files are compromised do not - ever - put them on a system you don’t want compromised.

If you’re trying to protect an install of Windows, you should never use that version of Windows to manage the file, not even to copy it.

The best way to handle a suspect file is using a Linux LiveCD or USB session. If the file is compromised, the changes don’t persist across power downs unless the attack is extremely sophisticated.

There are known exploits that detect and attempt to circumvent virtualization, and there are known bugs that allow processes in virtual machines to escape and access the host system.

Virtualization helps isolate things, but you should never count on it to do so. Especially if that VM is connected to a network or has a shared filesystem of any sort.

One thought I had was to break the file extensions, make any .PDF into .OLD so that way the files wouldn’t have a clear way to be opened or interacted with.

This is called “security by obscurity”, and it’s not actually security.

Windows is weird that it treats an identical file.jpg and file.txt differently because of the extension; other operating systems don’t do that. The files themselves contain encoding data to tell applications what type of files they are. Changing the file name doesn’t change that data, so applications (including malware) can still identify what they are.

Sophisticated malware hashes filenames anyway so that any filename or any filetype containing the payload will be used. Even some less-sophisticated malware does this to prevent two script kiddies who used the same exploit with different settings don’t clobber each other.

Can an infected file simply by existing on your computer, infect your computer?

Minimal risk, but there is still some.

In order to compromise your system, the infected file needs to be executed. On a minimal system with no unneeded services, the risk is minimal. On a bloated system with things like image thumbnailers, auto-start or auto-exec, or filesystem indexing services increase the chances that happens.

Malware frequently interferes with the boot process as well. If you’ve previously been compromised, there’s a chance that your infected file could be set to execute automatically.

Minimal risk, but not zero.

How common is highly infectious malware?

Highly infectious is very common. Hard to mitigate is much less common. I’ve seen dozens of machines compromised in seconds in a corporate office environment. Stuff likes to spread.

That particular attack was just a dumb script that barely tried to hide itself, so it was easy enough to correct, but it spread fast.

Governments are in the malware business now, too. They write the nastiest stuff. They’ve got the financing and power to use undisclosed vulnerabilities to drop payloads into the system board that persist across OS installs and drive swaps.

Casual users generally don’t get hit by that stuff, but it does happen now and then. If you or your devices work near anything of “strategic value”, the risk for that goes up substantially.

For the purposes of experimentation and better understanding I’d be interested in trying some professional tools and techniques to complete this task.

General purpose LiveCD/USB tools:
https://www.kali.org/
https://tails.boum.org/

If you’re looking for a much more casual use tool, various anti-virus companies produce Linux LiveCDs for scanning Windows systems without actually booting the Windows system.

Kaspersky
BitDefender
AVG (Looks dead, but docs still exist)

2 Likes

Im going to make a isolated virtual network in VMware between the windows and linux VMs and do this.

This is very interesting, and make sense. While a user isn’t executing the file themselves, another software may look at an image in order to generate the thumbnail thusly giving attached malware a chance to execute.

Im guessing security oriented versions of OSs like the windows COmmando VM or kali will have this hardening done already?

What about a simple zip file? Or making a tar ball? Would something windows doesnt know what to do with make something safe to transport?
Encrypting the hypothetical file surly would render it inert, and be unable to do anything until decrypted.

Can’t say about windows, other than you can set policy rules to i.e. prevent unsigned executables from running.
And kali isn’t ‘hardened’ in that sense, it’s a ‘security focused’ distro because it’s a tool designed for red-teaming.
If you’re looking for a pre-hardened distro, look at qubes.

Altho any distro will realistically work fine, just set a ‘noexec’ mount flag for the /home directory to prevent executables from your home folder, or tweak with selinux if you want more bells and whistles and easy logs if anything suspicious is going down in a *nix environment.

Not to negate anything mentioned above, but my personal experience leads me to believe there isn’t a ton of risk associated with downloading/handling “potentially infected files” in linux (defining “potentially infected” as unknown/un-trusted here). Admittedly this could be luck, or to some degree naivete - but over the course of 10 years (and tons of installs - currently managing a handful of linux workstations in the office I’ve set up for employees (all open admin privileges w/ multiple users) - I’ve YET to run across a discernible problem. So I guess I’ve come to feel that concerns about viruses/etc tend to be hyped/over blown, further complicated by the fact that it’s in MS/anitvirus dev/affiliates’ best interest for you to be afraid (well, not saying they’re completely wrong, windows is a different story).

But maybe luck has led me to be lazy/overlook the risks - I’m curious what other folks think/other experiences?

To clarify what I mean, let’s take for granted: the government is certainly spying on you through software AND hardware; best practices should be observed for your particular situation (special regards to sensitive personal info/materials, general security culture).

To answer the OP, if I was concerned about a particular file I would download/open it in a machine I wasn’t concerned about damaging. I get that might not be an immediate option for everyone (I happen to like collecting free legacy gear and frankensteining in together), but you can pick up an old 32-bit
workstation or “broken” personal computer off craigslist to use as a download box/media server, often for <$50.

It’s not so much a question about to be worried about infected binaries which AV could detect imo (or mischief code pushed to a package before compilation), I’m more worried about what can be achieved for malicious purposes with simple scripts.

Linux has a ton of tools built-in, and a script/payload could set up a machine to i.e. sync files and keystrokes back to an attacker easily without needing to install ‘infected files’.

Proactive measures against those -potential- threats include, but not limited to, execution prevention from certain directories like /home & cache dirs, and write-protecting also user-owned config files (.bashrc anyone?).

Not saying it’s common or something to actually worry about per se, but just saying that people who think linux is super secure, tend to think about threats associated to the windows world.
Same goes for Mac OS, I wouldn’t give it any kind of security certification out of the box.

1 Like

My thinking here was that if someone was packaging some garden variety malware in a torrent / freeware type setup as bait, their target would be windows systems which linux is of course immune to windows oriented infections. While there is state actors that can pwn a system, or more specialized skillsets that can pwn my VMs, I was thinking more practically that this isnt likely, and that I just need to insulate the potential for windows malware against my windows host. i see it a lot like picking out a safe. Sure any safe can be cracked by the feds, or a potential cat burgler style theif could get in, but I dont really have anything that would attract those skill-sets my way so the focus is just making sure it cant be pried open or carried off.

I do enjoy you suggestions for hardening linux however, and will be implementing those ideas on my daily debian system, see how it feels for daily use.

1 Like

Can’t comment much about windows apart from policy management tweaks, I’m just way more familiar with linux.
As with any system security is about assessing potential risks and locking everything down/isolation while still keeping everything usable.
And we don’t generally need to worry about government actors or APT’s, but rather bug exploitation and uncalled processes.

From a security perspective X is a nightmare, scripting is easy, addons might misbehave, web browsers with capabilities (CAP SYS_adm=root) sounds horrifying.

There was an interesting awereness-campaign ‘ad’ a few years back: when spotify had an ad, which when ran, opened up your web browser and started to open up dozens of weird websites, windows and popups.
Just to show that our typical systems we use today are far from secure ootb.
Altho that campaign was quickly terminated because someone thought it was too aggressive and made people uneasy.
Or maybe Apple didn’t want a smudge in their brand.

That makes sense. The more I think about it, the more I think I’ve gotten a bit complacent. Appreciate the tips.