It happens to me two or three times each week: Friends, colleagues or random people from the Internet send me e-mail describing strange system behavior, wondering if they are infected with a virus or worm despite the fact that their AV tool doesn't report any suspicious files. Sometimes, the woeful request even includes a file attachment such as a wayward .exe, .dll, .pif, .scr, or some other concoction that the potential victim thinks might be the malware itself.
Users can receive these suspect files in a variety of ways: via shifty-looking e-mail or from their browser suddenly downloading a file. Sometimes programs mysteriously appear in the file system, possibly placed there through over-permissive file sharing mechanisms or a vulnerability exploited by a worm. Ultimately, these e-mail requests almost always end with one of two questions: "So, is my system infected?" or "So, is this file really malicious?"
Luckily, there are a variety of free resources on the Internet you can use to scan your entire system for infection or to analyze an individual file to see if it is malicious. These services augment your existing antivirus tools, but do not replace them. If your own antivirus tool gives your system or a file a clean bill of health, you can turn to these services to get a second opinion, just as you might check with another doctor if your own health were on the line. And, best of all, these free scanning mechanisms do not require you to
Several antivirus companies offer free Web-based services you can use to scan your entire system for infection. Since they scan an entire machine for viruses and worms, I refer to these tools as "system scanners" to differentiate them from the "file scanners" which I'll discuss later. With a system scanner, simply surf to the site, click on a button typically labeled "scan now", and watch as your system is scanned. Here is a list of my three favorite Web-based system scanners for Windows machines:
- Computer Associates' system scanner. This tool has a very easy to use point-and-click interface with results that are simple to understand.
- Symantec's system scanner. This solid scanning tool is one of the faster ones. Also, beyond an antivirus scanner, this site also includes a separate scanner to look for common Windows vulnerabilities and Trojan Horses.
- Trend Micro's system scanner. This tool is also very good, featuring reports showing more detail about potential infections than the other services.
Most of these system scanners are implemented via ActiveX controls the Web site sends to your browser. Therefore, depending on your browser configuration, you may need to permit a single ActiveX control to run on your system. Given that a major antivirus vendor runs each of these sites, allowing such access is likely quite reasonable in most organizations. Furthermore, by pushing the ActiveX control to your browser, where the scanning occurs, none of these services involves sending any of your files across the Internet for inspection. All scanning is done locally. Remember that none of these system-scanning services is a replacement for a solid antivirus tool installed locally. They give you a good second opinion, but require you to manually surf to their Web sites to initiate a scan.
But what if you only need to check an individual file? That's where free Web-based file scanners come in handy. For each of these services, you can submit a single file or an archive containing a group of files. The service then runs one or more antivirus tools against the file and sends you the results. All scanning takes place at the services' machines, so no new software at all runs on your system, not even an ActiveX control. Here is a list of some of my favorite Web-based file scanners:
- Virustotal.com's file scanner. This Web site is the best one I've found for scanning individual files. (I use it all the time.) You can submit a suspicious file or archive by filling out a Web-based form, thereby sending the file via http. Alternatively, you can send the suspect file via e-mail to email@example.com. The beauty of this service is that they will scan your file with 11 different antivirus tools, including ClamAV, CA, Eset Software, FRISK Software, Kaspersky Labs, McAfee, Norman, Panda Software, Softwin, Sybari and Symantec. You'll get the diagnosis from each of these tools in a nice little report. Once you've submitted a file, you'll typically hear back within five seconds to two minutes.
- Kaspersky's file scanner. This one lets you submit files via a Web form, and get a response within a few seconds
- Symantec's file scanner. This scanner lets you submit files via e-mail. You'll need to zip the file in a password-protected zip archive with the password "infected" and send it to AVSubmit@symantec.com. They claim they'll respond within 24 hours with the verdict, although every time I've used the service, I get the results back in about an hour.
Keep in mind that these file-scanning services merely attempt to see if the file you submit matches any of their respective signatures. Your file might get a clean bill of health in these scans, but could still be very malicious. It's possible that you've received custom-created malicious code for which no signature has been created. Therefore, use the results of a file scanner as a single data point in your decision about whether the suspect file is really malicious. However, even given this limitation, these free services are immensely helpful in identifying infected systems and malicious code.
About the author
Ed Skoudis, CISSP, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).
This was first published in November 2004