Can you trust that file?

Earlier I had a trilogy of postings about DropMyRights (Part 1, Part 2 and Part 3) that included the warning to run Microsoft Office applications in restricted mode in case a file (Word document, Excel spreadsheet, etc.) carried a virus or some other type of malicious software.

But what do you do if a Word document or Excel spreadsheet doesn't display or work properly when the application is run in restricted mode? A decision needs to be made whether to trust the file and open it in unrestricted mode.

If the file was sent to you by e-mail, you'll no doubt be tempted to judge it based on the person who sent the message. Don't.

For one thing, you can't trust that the reported sender of an e-mail message is the actual sender. It is trivially easy to forge the From address in an e-mail message. And even if the message really did come from the person in the From address, and you trust that person, you still should not assume the file is safe. The sender's computer could be infected with malicious software that sent the e-mail message on its own, without human involvement. But what if the trusted person actually sent the file on purpose? It still could be infected with malware without him or her knowing it.

What to do?

The safest thing, of course, is to delete the file. But if you want or need to use it, then I suggest using the Virus Total and/or Jotti Web sites. Each site lets you upload a file to be scanned by multiple antivirus programs.

The last time I used Virus Total, a free service from Hispasec Sistemas, it scanned my suspicious file with 29 different programs. The list included popular antivirus software from Symantec, Kaspersky and Clam, some less well-known products such as NOD32, Avast and Panda, and a host of products that I had never heard of such as DrWeb, Ikarus and TheHacker. That's the good news.

The bad news is that there probably won't be a consensus opinion. Each time I submitted something suspicious to Virus Total, the results were all over the map. For example, in this screenshot from July 10, you can see that 7 of the 29 programs felt the file was malicious. Democracy is great in other contexts, but here, I'd rather be safe than sorry.

[dbjohnson2]

An Argument for Online Applications?

Is this an argument for using online applications such as Google's Docs and Spreadsheets for opening documents of this type? Am I correct in thinking this approach protects my PC from most (all?) viruses, etc.?

[tenc21]

When is it SAFE?

We must presume 7 out of 29 means the file is not safe (enough)? But with the false positives and over-caution, when would it be safe (enough)? Can one even be satisfied if all 29 indicate no virus? What is the purpose of this exercise if we are to be "safe than sorry" when we know the results of these 29 different programs are neither consistent nor reliable?