OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Checking File Downloads

How do people get malware in their computers? Normally, they click on an email link or an advertising link on a website. Sometimes search results list dangerous sites. Obviously, avoid clicking on email links or website advertising. But, sometime you might get duped. Many smart hackers are on the Internet and they are trying to con you

So how to you protect yourself? What if you are not certain whether a file is clean?

Downloading infected files

Miscreants register websites that look like legitimate websites, but are not. Sometimes they have the real software, but package it with malware add-ons, and sometimes they offer a phony product altogether. For example, the real Keepass site is Keepass.info but someone in France registered and owns Keepass.com and Keepass.fr. The Bleachbit site is Bleachbit.org but that same party in France owns Bleachbit.com

Many popular programs like Ccleaner, Filezilla, Truecrypt, Paintnet, 7zip, Adblock and LibreOffice have phony site doppelgangers.

In addition, some download sites with thousands of files on them have only a couple of infected files.

Opening attachments

We are all aware of the advice,
"Never open an attachment from someone you don't know."
But just because the return address appears to be from someone you know doesn't mean they wrote it. I frequently receive spam from my own address, and I know I didn't send it to myself! I don't know the secret that will help me drop a full dress size in only a week! Even if the person's computer actually sent the file, can you be sure it is not infected? I will explain how to check the file.

Check site before you download

So, imagine you are at a site and want to download a file. How do you check the site? Your browser, anti-virus or Windows Defender may prevent you from going to the site. You might get a message like this one from Nod32.

If you get something like this, it is best to go back. But, if you get to a site and are still uncertain, you have another opportunity to check. The best way to check is to grab the URL from the address bar and paste it into VirusTotal's Url checker. https://www.virustotal.com/#/home/url.

This is the summary of the report on the phony KeePass site. It submitted the site to 67 different antivirus tools and none of them found malware on the site. I returned a couple weeks later and verified that they had malware on their site and two engines found it. So possibly they add and remove adware to keep their site from getting a bad reputation. Notice the community score of -129. This should alert you to a problem. This is in contrast to the community rating of +47 for the real KeePass site: https://Keepass.info.

Clicking on the Community tab, gives you more detailed information.

The community report sometimes contains comments that might save you from infected downloads. For example, this one had comments explaining that this was not the real KeePass site and linking to the correct site.

VirusTotal is a website created by the Spanish security company Hispasec Sistemas in 2004. It was acquired by Google Inc. in 2012. They transferred the company's ownership to another Alphabet subsidiary Chronicle in 2018.

Check after you download

What happens if you already downloaded the file and then think, "Maybe this is a mistake?". Or, you want to check an attachment. Download it, then do not open it, before checking it. Here are some ways to check files.

1. Inside File Explorer you can right click and scan the suspect file with your antivirus.

Here's what Nod32 makes available, but all antivirus programs will have a single file scan from within File Explorer.

2. Nod32 provides an additional reputation check under advanced options. Some other antivirus programs do as well.

3. You can upload the file into VirusTotal's file checker: https://www.virustotal.com/#/home/upload. You'll get a file report similar to the URL reports above. Go to their upload page and click choose file. You'll be able to select the file you downloaded for checking against their many engines.

VirusTotal's Desktop App

VirusTotal has a simple and tiny application that will do 3 things to make your file checking life easier. Though it is no longer being maintained, I am still recommending it, as it gets the job done, is superior to the alternatives,  and is so simple it is unlikely to create any issue for many years and can simply uninstalled if it does.
  1. Add a Send To Virustotal option in File Explorer, so you can right click on a file and send it to VirusTotal. It will open your browser to check the results.
  2. Let you check your active processes and send any one of them to VirusTotal to determine if they recognize the file as bad. Run the desktop application and select the process.
  3. If you can copy the actual web link to a file, you can check the file via that link without ever downloading it. However, do not be surprised if this doesn't work. Normally we are not given the link to a file, but to a download button which makes it difficult to extract the actual download link.

I think I'll add this tiny little app to my normal computer setup going forward.


By using common sense and avoiding downloads from unconfirmed sites you can prevent the most common infection vector: the user downloading and installing malware themselves! You can check files you do download by using VirusTotal and your antivirus software.

Further Reading

Date: September 2018

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster