Helping people with computers... one answer at a time.

Someone's pointing me to a downloadable program as solution for a problem I'm having. I'm really hesitant to download and run unknown EXE files. Is there any way I can scan it with some program or otherwise ascertain if it's clean or riddled with subtle spyware, viruses, or what ever else could be bad?

I was somewhat taken aback by this question. It's a perfectly good question, and in fact one that people should be asking themselves more often.

No, my reaction was due to the lack of a good answer.

It turns out that it's fairly difficult to ascertain whether or not something you've downloaded is about to play havoc with your system.

This question exposes a very subtle, yet important difference between anti-virus scanners, and anti-spyware scanners.

Anti-virus scanners look at the contents of the files on your system to see if they have what look to be viruses or not. The files don't have to be installed or running, they just have to be accessible to the scanner.

"There's no tool, that I'm aware of, that allows you to say 'does this file contain spyware?' before you install it."

Most anti-spyware programs, on the other hand, examine your system. They look to see if changes have been made to your system that could be the result of spyware. They monitor for changes that are commonly associated with spyware, and either alert you or block those changes.

In other words, most anti-spyware software checks what's running. There's no tool, that I'm aware of, that allows you to say "does this file contain spyware?" before you install it.

And that surprised me.

So, what do you do? What do I do, for that matter?

  • Only download from sites you trust. I know, knowing who to trust is a difficult problem as well. My recommendation, in general, is don't download from third parties. If a piece of software is created by XYZ corp, then download it from the XYZ corp website. If it's available directly from the creator, there's no reason to get it anywhere else. The same's true for open source software, shareware, freeware, or whatever else. Look for the creator's website and get it directly from them.

  • Only download from companies you trust. Even if you do download directly from the creator's website, not all software publishers are ethical or above-board. If you've not heard of the company before, it's often worth a quick Google to see if other people have experienced problems. Much free software is "free" because it's loaded with spyware and adware - it might all be legal, but it certainly can be annoying.

  • Never download illegal software. You shouldn't anyway ... because it's illegal ... but even if that doesn't stop you, the risks should. Illegal software is lucrative because it's free or dirt cheap. Spyware vendors know this, and often use it as an opportunity to shovel in all sorts of software you didn't want.

  • Virus scan your download. This is the easy one. Anti-virus software can easily and quickly scan a file, or a download, and tell you whether or not it contains any known viruses. Make sure to keep your virus program, and it's database, up to date.

  • Back Up. Even though you might well trust what you've just downloaded, for a moment assume that what you're about to install will cause your machine to crash and become unbootable. Will you lose important data? Then you better make sure that's backed up first.

  • Set a restore point. Some installs will cause this to happen automatically, but others will not. Using Windows XP's System Restore feature, set a restore point. The good news is that for most installs, if something goes wrong, reverting to a saved restore point will, in fact, restore you to the pre-install state.

  • Take an image. If you're installing something really risky, sometimes the best thing to do is to take a complete image of your hard disk as a backup first. If the worst happens, you can then reinstall that image. This is a bit of work, and requires appropriate imaging software, but makes the process totally recoverable in case the worst happens. Alternately, if you have a spare machine that you don't care about, consider installing on that machine first. If things don't work out, then simply wipe and rebuild that machine.

  • Run that spyware scan. As soon as you've installed and run your download once, make sure to run a spyware scan. If there is a problem, the sooner you know about it, the easier it will be to deal with it.

In some ways it's not surprising that spyware's as prevalent as it is - it appears that true prevention is difficult, at best. Most remedies fall into the realm of "damage control" once a machine is already infected. Part of it is because, unlike viruses, "spyware" is a much more vague term - what does spyware really mean? The complication is that spyware looks, and acts, much more like legitimate software, making it doubly difficult.

Article C2657 - May 18, 2006 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

10 Comments
Dan U
May 19, 2006 1:03 PM

"....download it from the XYZ corp website."

One point. A fair number of devs will have their programs hosted by a download site such as tucows. A link to a thirdparty site from the author's website can be as trusted.

Lou Gascon
May 20, 2006 9:55 AM

The Question: Someone's pointing me to a downloadable program as solution for a problem I'm having. I'm really hesitant to download and run unknown EXE files. Is there any way I can scan it with some program or otherwise ascertain if it's clean or riddled with subtle spyware, viruses, or what ever else could be bad?

I sympathise ~ until recently I used Vexira AV, and an integral part of their program was a facility on the right click menu to scan the file clicked upon...
This was great for First line of defence stuff, simply because the exe or other was scanned before it was opened...
Sadly, I have moved on and I'm now using Prevx1 which replaces all and offers "just that" A First line of Defence to anything that wishes to run... whooo, now anything that moves gets to be cautioned and can't run until my specific say-so, and sometimes, if Prevx have it in their DB, not at all unless I request special permission from their DB staff... wow
But, to address the question: I now use Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1 at
http://virusscan.jotti.org/
Just add the PC nav to the browse button, and off it jollywell jotts and returns info from about 10 AV engines - oui ou pas - yes or no - nix or nacht ooops sorry, me germans not very well - but yes, Jotti's search is in the German domain - Thanx Jotti

Thanx Leo

and viewers of Leo's Lunchtime leaflets & Letters ~ try it before you open that file

bon chance
Lou

Michael Horowitz
August 15, 2006 10:17 PM

At virustotal.com a single file is scanned by about 18 different antivirus products.

Also look into siteadvisor.com, a browser plugin that rates web sites as to their safey. Their green approval rating isn't a perfect guarantee, but if they say a site is bad, that's good enough for me. Their testing procedures are impressive.

ipodboy
July 22, 2008 2:56 AM

Hey, i read your article and I have few questions. Why do people care so much about scanning viruses if you can actually scan downloaded files before you download them. I've been using this nice tool for a while and I like it a lot - http://smart-ip.net/en/tools/virus-scan.
It does scan files really quick and I haven't got any viruses since I deleted Norton application from my PC :)
Agree, you have to be online all the time to do the scan but it doesn't require any updates.

howiem
May 19, 2009 10:28 AM

I have been using a program called Sandboxie www.sandboxie.com for years. I generally test all new programs in a sandbox, but especially those I have the slightest doubts about. It takes just a second or two to set up a test sandbox, and scan with AV/AS programs. (I also use Jotti and virustotal from time to time). Even if I install a program with malware in the sandbox, I can just delete the sandbox and there is no impact on my operating system. In fact I run almost every program sandboxed. might add that there are ways to get data out of the sandbox, unlike virtual machines. I was last infected using DOS in 1987.

BTW, the web page mentioned above, http://smart-ip.net/en/tools/virus-scan, appears to no longer provide anti-virus services.

howiem
May 19, 2009 10:31 AM

I forgot to mention...you can always do a web search for the name of the .exe program, like abcd.exe and add a comma followed by virus, spyware, rogue, malware to see if anything bad about the program turns up in the search results.

sirpaul1
May 19, 2009 11:29 AM

I use Avira and it's notified me when a file might contain a virus before it's opened. It's worked on .exe and zip files. Now I didn't open any of them to check, but a beep and a virus screen and came up asking me what I wanted to do with this file. Never had a .com or .bat beep yet.

1101doc
May 19, 2009 2:45 PM

I use free Returnil to "screen" all applications (.exe's) before I run them "for real." By turning on Returnil everything that happpens thereafter happens only in memory. Nothing can be written to the C:\ drive.

I run or install the application, see what happens, and if I like it enough I then reboot (to turn off Returnil) and run or install the program on my hard drive.

Brian Hall
May 19, 2009 10:51 PM

Great article on "exe's" ~being able to tell if they are "safe" or not..Leo,could you expand,explain how to set up a "sandbox"-so that us newbie geeks can quickly,and safely check downloaded programs/apps...before they are "run",or opened,and installed to the hdd,thus preventing infected files from wreaking havoc on us.I understand that a "sandbox" thoroughly filters a application/program-sort of like running the app. through a sieve...is this accurate?? Would appreciate any feedback.Keep up the GeeK~~Brianisbeecube@yahoo

Merna B
May 26, 2009 7:24 AM

Like Howiem (May 19, 2009, post), I also thought smart-ip.net no longer had the online virus scan as I received a 404 page not found when going to the link. However, the link in ipodboy's post (July 22, 2008) works if one deletes the period which was apparently mistakenly underlined and thus included in the link. Try http://smart-ip.net/en/tools/virus-scan without the period at the end.

(I discovered this by checking "Tools" and then "Scan file for viruses" under "Tools" at the home page -- http://smart-ip.net/en/ -- and then comparing what I had found with what I had tried previously.)

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.