I still see way to many people who don’t know the difference between a .exe and a .jpeg. I mean, you downloaded that cute cat picture, right? You only get viruses by torrenting illegal stuff, right?
NOPE. These so-called ‘extensions’ define what type a file is and what it does. A .jpeg is an image and needs to be opened by an image viewer. A .exe is an executable file and will be executed by Windows.
If you download a file which should not be a .exe, then you’re probably dealing with something dark and scary. But how can you prevent these kinds of accidents from happening?
I made a Python script which monitors your Downloads folder for new files and checks their extensions.
import os import win32file import win32con from os.path import expanduser from tkinter import * from tkinter import messagebox root = Tk().withdraw() neverRun = { ".BAT" : "Interpreted script", ".CMD" : "Interpreted script", ".COM" : "MS-DOS executable", ".CPL" : "Control Panel executable", ".PIF" : "Link to MS-DOS executable which can contain executable code", ".APPLICATION" : "MS ClickOnce executable", ".MSI" : "Application installer", ".MSP" : "Application patcher", ".SCR" : "Screensaver, rename of .EXE", ".HTA" : "Unsandboxed browser executable", ".MSC" : "Management Console executable", ".VB" : "Interpreted script", ".VBS" : "Interpreted script", ".VBE" : "Encrypted script", ".JS" : "Unsandboxed Javascript", ".JSE" : "Unsandboxed encrypted Javascript", ".WS" : "Interpreted script", ".WSF" : "Interpreted script", ".WSC" : "WS component", ".WSH" : "WS host control", ".PS1" : "Interpreted script", ".PS1XML" : "Interpreted script", ".PS2" : "Interpreted script", ".PS2XML" : "Interpreted script", ".PSC1" : "Interpreted script", ".PSC2" : "Interpreted script", ".MSH" : "Interpreted script", ".MSH1" : "Interpreted script", ".MSH2" : "Interpreted script", ".MSHXML" : "Interpreted script", ".MSH1XML" : "Interpreted script", ".MSH2XML" : "Interpreted script", ".SCF" : "Explorer shortcut, can contain malicious arguments", ".LNK" : "Link to an executable, can execute", ".INF" : "Autorun script, can execute", ".REG" : "Registry changing file" } possibleDanger = { ".EXE" : "Most used executable", ".GADGET" : "Executable, installed as Windows Gadget", ".APPLICATION" : "MS ClickOnce executable", ".MSI" : "Application installer", ".MSP" : "Application patcher", ".SCR" : "Screensaver, rename of .EXE" } #ACTIONS = { # 1 : "Created", # 2 : "Deleted", # 3 : "Updated", # 4 : "Renamed from something", # 5 : "Renamed to something" #} path_to_watch = os.path.join(expanduser("~"), "Downloads") hDir = win32file.CreateFile ( path_to_watch, 0x0001, win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE | win32con.FILE_SHARE_DELETE, None, win32con.OPEN_EXISTING, win32con.FILE_FLAG_BACKUP_SEMANTICS, None ) messagebox.showinfo(message = "Now monitoring " + path_to_watch + " in the background. Have fun.", title = "Downloaded File Helper running!") while True: results = win32file.ReadDirectoryChangesW ( hDir, 1024, True, win32con.FILE_NOTIFY_CHANGE_FILE_NAME | win32con.FILE_NOTIFY_CHANGE_DIR_NAME | win32con.FILE_NOTIFY_CHANGE_ATTRIBUTES | win32con.FILE_NOTIFY_CHANGE_SIZE | win32con.FILE_NOTIFY_CHANGE_LAST_WRITE | win32con.FILE_NOTIFY_CHANGE_SECURITY, None, None ) for action, file in results: if action == 1: full_filename = os.path.join(path_to_watch, file) _, file_extension = os.path.splitext(file) file_extension = file_extension.upper() if file_extension in neverRun: messagebox.showwarning(message = "YOU DOWNLOADED AN EXECUTABLE FILE:\n" + full_filename + " : " + neverRun[file_extension] + "\nDO NOT run this file if you're not 100% certain why you need this and what it does.", ok_button = "I understand.", title = "High risk download") elif file_extension in possibleDanger: messagebox.showwarning(message = "YOU DOWNLOADED AN EXECUTABLE FILE:\n" + full_filename + " : " + possibleDanger[file_extension] + "\nThis filetype is really common, so there's a good chance nothing is wrong.\nJust check if what you're doing needs anything to be executed or installed.\n99% of the malware is shipped as .exe, so still be careful.", ok_button = "I understand.", title = "Possible risk download")
I use the win32 api to monitor for changes. The extensions I marked as dangerous only include the ones that will run without any other software. For ex. ‘.jar’ will run when Java is installed – but is not listed.
Download a compiled version HERE. Note that this file is a .exe! I created a self-extracting archive with 7zip to save some space.