Does your AV detect files with double extensions?

[Tom172]

I've noticed this in the last day or two and found it interesting.

If you create a new text file, then save the file with a double extension, for example "Test.txt.exe" Comodo Internet Security will detect the file straight away as malicious.

Instructions:

Open Notepad > type in any random text you like > Save As

Name the file, for example "Test.txt.exe" (without quotes)
Next to "Save as type" click the dropdown and select "All files"

Next to Encoding select Unicode, and save the file.

Comodo deleted the file automatically.

Seeing as files with double extensions are in most cases malware, it would be interesting to see if other AV's have the same behavior.

Try this out and post your results.

 

[imsoadude]

Norton didnt pick up anything and i scaned it with malwarebytes and nothing also. virustotal for the file came up with nothing either

VT Results

 

[jamescv7]

I think it depends on the file behavior, that AV would detect it. Beside the name of double extensions but the content it.

 

[WinAndLinuxTutorials]

Nothing detected. Using Avira Antivir Personal

 

[Tom172]

Thanks for trying!

I'm surprised more AV's don't implement this idea, seeing as it would eliminate alot of attempts to trick users into running malicious files.

 

[Ink]

The text file isn't malicious though, have you reported this to Comodo?

 

[Tom172]

The text file isn't malicious though, have you reported this to Comodo?

The point is it's able to tell a file is using dual extensions. Malware authors use this trick to make a file look like something it's not. Since windows hides extensions by default, they can make a file look like a text document etc, whereas it actually could be a .exe

 

[AyeAyeCaptain]

Does not matter what file it is, Comodo will always flag double extensions files... i noticed this when i encrypted some of my sisters files of her college work docs... think it's better to be safe than sorry so understand why it does get flagged to be fair.

 

[Tom172]

Does not matter what file it is, Comodo will always flag double extensions files... i noticed this when i encrypted some of my sisters files of her college work docs... think it's better to be safe than sorry so understand why it does get flagged to be fair.

Yep, it's a good idea. More often than not double extensions signal malware, although as you stated they do arise in legitimate circumstances also.

 

[HeffeD]

The text file isn't malicious though, have you reported this to Comodo?

There is nothing to report. The whole point of heuristics is to flag suspicious characteristics in the absence of a matching virus definition.

A file with two extensions is a suspicious characteristic due it being exploited by malware for the reasons already mentioned.

Heuristics by their very nature are prone to false positives because suspicious does not always mean harmful.

 

[Hungry Man]

It's a very smart move. This is almost only ever used by malware - there is no reason for a legitimate file to do this.

I would hope most heuristics check for this.

 

[jamescv7]

I've remember before watching some videos of Avira 9. Simply making file like this one (not sure if its double extension) would popup every single alert.

 

[Deleted member 178]

double extensions are old kind of virus trick, very popular. .exe, .vbs, etc...

 

[Jack]

A friend tested this on his computer and it seems like Panda Cloud AV can also detect a double extensions.
Can anyone confirm that?

 

[MetalShaun]

I can confirm Panda cloud does detect double extensions.

EDIT: Just looked a little more into this and it seems Panda is blocking the creation of Executables not the dual extensions. If you look at this link http://blog.cloudantivirus.com/2010/06/03/behavioral-blocking-rules/
and looks at rule 5008 that is what is being used to block me creating a file called Test.txt.exe.

Cheers
Shaun

 

[iPanik]

ESET doesn't seem to mind me creating a file with a double extension, i am am glad it doesn't.

My schools assignment submission system only accepts some file extensions, so sometimes we use double extensions to submit assignments. So i would be mighty crossed if ESET suddenly started removing my assignments.

 

[Exorcizm]

Agreed with Shaun, Panda does detect Double Extensions.

ESET Smart Security 5 doesn't pick up double extensions as far as i can tell

 

[moonshine]

I'm using Comodo Internet Security and it does detect double extensions because it quarantined one after doing a full scan.

 

[WinAndLinuxTutorials]

Have you noticed this in Avira? There is an option to detect file with double extensions, but is unchecked by default.

 

[win7holic]

Norton did not detect anything about it.
and hope, norton add that feature (double-extension files)