Notebook: Checking For Malware

This article is a sort of notebook, rather than a more structured recommendation, for the topic of how we can check links, or files, or messages, etc., for malware. This landscape is continually changing, as bad-faith actors get better and/or more effective in their pursuits and exploits, and there may not really be any way to solidify any set of tools to help us to anticipate and avoid it. Please consider this notebook, then, to be a continually evolving collection of ideas and observations that you might find helpful. And as always, feel free to contact the Helpdesk if you have further questions.

Awareness is your first line of defense

As with security of every kind, simple awareness is by far the most important tool in your strategy, followed in second by a simple skepticism that need not be even remotely paranoid. Think of Hemingway's famed statement that each of us has a built-in BS detector that we can tap into if we but think to do it. Most of us who get caught by malware attempts, do so not because we can't identify the signs of something sketchy, but just because we get caught, just for a moment, not paying attention. So, we try to build a few simple habits to rally around, such as:

What is this I'm clicking? Before clicking a link you don't know, pause just a second and look at it. Is the link you're clicking, what you think you're clicking? You can almost always either (carefully) right-click a link and Copy it to your clipboard, then Paste it safely into a text editor (e.g., new email message, empty text file, electronic sticky note, etc.), or you can turn on your browser's "status message" bar (usually at the bottom of the browser window) and float over the link without clicking on it:

Certainly if you can't copy the link, or if it's somehow hidden from your view (e.g. by JavaScript code), ask yourself why. If you can't come up with a good answer, you can always contact the Helpdesk.
What kind of file is this? Before opening a file you don't know, look at its name and file extension. Some files are executable in and of themselves (e.g, .exe, .msi, .bat), while others are just data, which launch an expected application around themselves (e.g., a Microsoft Word .docx, an Adobe Acrobat .pdf, or an audio .mp3 which launches into your system's default media player). You don't need to be an expert on file extensions and what applications they take, to understand that if you go to open a file someone claims is a "Word Document" and you can see that its file extension is .exe, that something isn't quite right. If it doesn't pass your basic smell test, either look a little further or just contact the Helpdesk.
What's that I just saw? If you see truly unexpected activity flashing by--e.g. pop-up windows or tabs that spawn and then disappear, or pages that spawn and then disappear, again, ask yourself the why question. "Does this make sense?" To be sure, there are perfectly legitimate links that may churn through one or more "do something" resources or steps enroute to landing you at the perfectly legitimate endpoint--in fact a number of security-related resources will do exactly this, as they travel a pathway to bring different parts of your user profile or permissions that you will need at the endpoint. But if you click through on a link and find that you wind up at something that looks kinda like a District resource but you're not quite totally sure after what looked like a series of bounces--by all means just stop, and contact the Helpdesk.
Who is this emailing me? Before you reply to an email you don't know, be sure to check the address it is actually going to. Depending on your mail application (e.g., Outlook, Webmail, etc.), you should be able to inspect the "from" item on your message, and see not just the "readable name" that the email might contain, but its underlying destination address. Certainly right before you hit Send you may just want to double-check the recipient:

Web resources for checking links and files

One resource that we have used internally, for quickie checks of links and files, is the online scanner from VirusTotal. (Note that there may be others out there of similar utility that will work just as well.) As an example, let's say you've been given a link in an email, perhaps; you're not quite sure about it, and you'd want to validate it before clicking through. You can usually (and carefully) right-click on a link as you see it in your message, and choose the Copy option:

Then, visit VirusTotal and Paste the link into the checker on the URL tab:

Hit the Enter key to submit the scan and it will perform aggregate checks with a list of known security sites:

When the checks complete, you get a summary of useful information and a listing of the security sites that responded to the call:

Note that on the main input page, there are also UIs that allow you to upload a File to check (before you open it up) and also to check a web Search:

Again, there are undoubtedly other sites out there that can perform similar useful functions; if we become aware of one of particular interest we may update this page with it, and you should certainly feel free to suggest ones that you find useful yourself--just contact the Helpdesk about it.

What to do if you do find something suspicious

This list is certainly not exhaustive, but can serve to cover a number of the most common questions we get.

Suspicious email. Provided you don't Reply to the sender or click any of the links/attachments, you can always Forward (not Reply) the message to the internal spam-filter address, which you should find in the directory simply by typing "spam" into the type-ahead search:

After forwarding to Report As SPAM, you can just delete the message from your mail file. Your forward will help "teach" our spam filter to recognize such messages going forward.
Something you are confident is actionable. If your spidey-sense is not wrestling with the "is it or isn't it?" question but is sending you a clear message that something is wrong (e.g., lots of people are getting the same suspicious link/file/message), just contact the Helpdesk immediately; we'll help you sort out the best way to proceed.
Changing your password. If you catch something sketchy before exposing yourself with a reply, a click, or a file launch, it is often unnecessary to change your user password, but taking that action as a precaution is never a bad idea. You can always change your main District password from any Windows session by keying Ctrl+Alt+Delete and then selecting Change a password from the presented list of options.
Lean on your Helpdesk. You always have the option of contacting the Helpdesk with questions. If your senses have put you at the point where you're just not quite sure, there is no harm in contacting us for a second opinion.