How to Recognize Infected Files

Nobody's perfect. Not even your antivirus. And you know it just fine. Just yesterday your computer got a nice virus, even though your trusted antivirus was working perfectly. A suspicious program, an antivirus scan. His last words? The program is safe. Come on, open it without delay! 

Instead, no! The downloaded program contained a very dangerous virus. However, not all evil comes to harm. You've learned your lesson. Never trust what one antivirus says. Rather, why not find out if a file is infected by checking it with multiple antivirus at the same time

Don't worry, you won't have to install three or four antiviruses on your computer (they would "stamp on each other's toes" and slow down your PC). You simply have to use an online service to scan the files you think are suspicious: this way you can scan the same file with the engines of all the best antivirus in the world and find out if this is really safe or not, all without slowing down your PC . Beautiful, is not it? So don't waste any more time and find out how to recognize infected files thanks to the indications of this per darti.

VirusTotal

The first solution I would like to recommend is VirusTotal: it is a free online service that allows you to recognize infected files using 68 different antivirus engines, including Avast, AVG, Bitdefender, Eset, Kaspersky and many others. It does not require registration and saves a lot of time thanks to the fact that it automatically recognizes files that have already been examined by other users: this, in a nutshell, means that if you try to examine a file that has already been examined by another user, VirusTotal will notice this and offer you the possibility to check the scan result immediately, without having to reload the file on its servers (with a considerable saving of time).

To use VirusTotal, connected to the home page of the service and, if this is in English, translate it into Italian by clicking on the item first English placed at the bottom right and then on the item Italian present in the menu that appears.

Now you can take action! Then click on the button Upload and analyze the file, select the file you want to examine and wait for it to be uploaded to VirusTotal's servers (you can select files as large as possible 256MB). Alternatively, if you want to scan a file that is already on the Internet, click on the tab URL and type his address in the bar that appears in the center of the screen. If the file you selected has already been scanned with VirusTotal, the service will instantly show you the scan results.

On the page that opens, check the item located at the top: if it is equal to No engine found this file, it means that the file is not infected. If, on the other hand, it is equal to xx engines detected this file, it means that the file is considered potentially dangerous by a number of scanning engines.

It should be noted that if a file scanned with VirusTotal is "suspicious" for only one or two antivirus while all the others indicate it as "clean", it is most likely a false alarm, so nothing to worry about. If, on the other hand, the number of detections is higher, it is good to stay away from the file in question and trash it.

To find out which antivirus considered the file you uploaded as potentially dangerous, click on the tab Detection: you will find the list of all the antivirus used by VirusTotal with their response on the analyzed file next to it, then the name of the potential threats detected. Entries in red indicate the presence of viruses or potentially harmful files.

For even more detailed information on the scan results, click on the other tabs on the site: Details, to view advanced details on the analyzed file (eg creation date, hash and so on); Relations, to view a list of other files already checked by VirusTotal that can be traced back to the file you uploaded in some way (eg zip archives that contain it); Behaviors, to check technical details about the scanned file (e.g. the Windows registry keys it queries, the system files it uses, and so on) and Community with user comments about the file in question (very useful section when there are one or two positive results and you need to understand if a file is really infected or not).

If the file you uploaded had already been checked in VirusTotal and then you were instantly shown the page with the scan results, you can click the button (?) located at the top right and select the symbol of circular arrow to force a new control (usually not necessary, but which can be useful in the most "thorny" cases).

How do you say? Do you find VirusTotal extremely useful but does the file upload procedure seem a little too cumbersome? No problem, you can install VirusTotal Uploader: a small free software that allows you to upload files to VirusTotal by acting directly from the Windows context menu: just select the suspicious file with the right mouse button, select the item Send to from the context menu and choose  VirusTotal as a destination. Easier than that ?! 

To download VirusTotal Uploader on your PC, connect to this web page and click on the entry Download the App here. When the download is complete, open the file you just downloaded by double clicking on it (vtuploader2.2.exe) and, in the window that opens, first click on Yes and then I Agree (to accept the conditions of use of the program), Nextinstall e Closeto finish the setup.

Now, to check if a particular file is infected using multiple antivirus at the same time, all you have to do is select it with the right mouse button and click on the item VirusTotal present in the menu Send to. Within a few seconds, the web page with the VirusTotal scan results will open.

Please note: VirusTotal Uploader is no longer officially supported, its development has been stopped for some time, but it still works very well on the most recent versions of Windows (I tested it on Windows 10). However, its operation is not guaranteed in the future.

If you use a Poppyinstead, you can download the version of VirusTotal Uploader designed for macOS, which is as simple to use as the Windows version. To download VirusTotal for Mac, linked to this web page and click on the entry Download the App here.

A download complete, apri il dmg package which contains VirusTotal Uploader, drag the program icon to the folder Applications macOS and start the latter by right clicking on its icon and selecting the item apri from the menu that appears: this operation is only necessary at the first start to bypass macOS restrictions in the comparison of apps that come from developers not certified by Apple.

At this point, you just have to drag the file to be scanned into the VirusTotal Uploader window and wait for the scan result, which will be shown directly in the program. To view the scan result on the site, however, click on the link in the column Permalink.

If you need it, I point out that VirusTotal is also accessible from the context menu of Chrome and Firefox: just install the official extensions of the service and recall them when you come across an address or a file to be examined online.

Halffender

Halffender is one of the best alternatives to VirusTotal: it is, in fact, another web service that allows you to scan files using the engines of multiple antivirus at the same time. It is free, requires no registration and supports files up to 200MB (in the case of compressed archives, these should not contain more than 50 files).

To check a file with Metadefender, connect to the home page of the site and drag it into the browser window, more precisely in the box Drag and drop a suspicious file to start analysis. If, on the other hand, you want to check a file that is already on the Internet, type its address in the bar located in the center of the screen and click on the button Analyze.

Like VirusTotal, Metadefender also checks if the selected file has already been examined by other users and, if successful, instantly displays the test results page. Alternatively, it proceeds with uploading the file to its servers.

The page with the scan results is very easy to consult: under the heading Metadefender critical detection results there is a list of all antivirus that have detected potential threats in the scanned file and the name of the threats in question. By clicking on the item instead View full multiscan report (below) you can see the complete list of antivirus supported by Metadefender (eg AVG, Avira, Bitdefender, F-Prot, Sophos etc.) with their response on the scanned file next to it.

Metadefender also offers a program to download to your PC, which however, unlike VirusTotal Uploader, does not allow you to select a single file and check it with the online service. Rather, it is a security software that, without requiring installation, examines the running processes, the programs installed on the PC and the files in the main system folders in order to detect any security threats. To download it to your PC, connect to this web page and click on the button Download located in the right sidebar.

Once the download is complete, start the executable Metadefender-Client-Cloud_xx.exe), click the button Yes and within what second the program will begin to control the sensitive areas of the system

When the scan is complete (it may take a few minutes), you will find the list of suspicious files in the tab Suspicious files, while in the tab Logs you will find information about the general status of the scan. As for the other tabs, I recommend that you pay special attention to Memory, where you can find the list of processes in memory, and ad Applications, in which instead there is the list of programs that Metadefender considers potentially dangerous or at risk as regards cyber attacks.

If you are not sure where to put your hands, just consult the card Suspicious files and to eliminate any suspicious files detected by Metadefender (the applications do not touch them, as the program returns many false positives in relation to the latter).

Please note: if you are interested, Metadefender is also available as an extension for the Chrome browser. By installing it, you will be able to scan all files downloaded from the Internet using all the antivirus engines supported by the service (over 30).

Jotti

Jotti is an online scanning service that allows you to check files with 18 different antivirus engines, including Avast, AVG, Bitdefender, Eset, F-Secure e Sophos. It is free, does not require registration and supports the upload of up to 5 files simultaneously (with a limit of 100MB per object). To use it, linked to its home page, click on the button Sfoglia ... and select the file (or files) to check. To select multiple items at the same time, use the key combination Ctrl + click (o cmd + click, if you have a Mac).

Once the files have been loaded, the scan result page will open within a few seconds, with the list of all the antivirus supported by the service and the potential threats detected by the latter in the scanned files.

Other Useful Resources to Recognize Infected Files

In addition to the online antiviruses I told you about earlier, there are also other solutions to recognize infected files (before or after downloading them) that you can consider.

  • Check the reliability of the site you intend to download files from. You can check the degree of reliability of a site through services such as WOT, which collects user comments on the Internet sites visited and therefore allows you to know in advance the degree of security of the latter. Another useful tool in this regard is McAfee's SiteAdvisor, which lets you know if a site contains malware or viruses (just type the address in the appropriate bar located on the right). Both WOT and SiteAdvisor are available in the form of browser extensions such as Chrome and Firefox.
  • Install a good antivirus on your PC. If your current antivirus failed to detect an infected file that you downloaded from the Internet, it is probably not as effective as you thought. Replace it with a workaround, like the ones listed in my post on the best antivirus of the moment.
  • Check the hash of the downloaded files. The hash is a string that uniquely identifies each file. To check if a software downloaded from the Internet is "original" or includes tampering (therefore, potentially, it could contain malicious content) check its hash and compare it with the one indicated on the official website. To check MD5 or SHA-1 hash values ​​for a file under Windows, open Command Prompt and issue the command FCIV -md5 -sha1 [file path]. If, on the other hand, you are using a Mac, open the Terminal and give the command shasum -a 1 [file path].