Re: Running program files on XP with non-executable extension?

From: Zvi Netiv (
Date: 11/03/05

  • Next message: Zvi Netiv: "Re: Running program files on XP with non-executable extension?"
    Date: Thu, 03 Nov 2005 19:12:18 +0200

    JS <> wrote:

    > I downloaded a file (let's call it BLUESKY.EXE) which my anti-
    > virus guard says may be a virus.
    > I wanted to get more info about this file, so I disabled it by
    > adding a couple of random letters to the extension.

    Not the brightest idea.
    > I figured this would stop my XP Pro from running it if I double
    > clicked it by mistake. But my antivirus guard 'AntiVir PE' warned
    > me about it again. Even with the dummy extension letters! Surely
    > such a program file is now safe enough?

    Not sure at all. See below.

    > I found that if I add the random letters *before* the EXE then
    > AntiVir PE's guard does not detect it as a virus.
    > So BLUESKY.HJEXE is ok according to 'AntiVir PE'.
    > Is this just an oddity in 'AntiVir PE'? Or is this being done
    > because of something in XP Pro which might truncate the letters in
    > a file's extension after the first three letters?

    Nothing to do with XP, particularly, but with how file and extension names are
    interpreted by Windows and by various applications.

    Here is a little experiment that you can do, that explains the principles
    involved: Open the Windows installation directory with Windows Explorer, find
    Regedit.exe, and rename it to "Egedit.executable". When still in Explorer's
    window, double click the Egedit renamed file and it won't execute, as expected.

    Prepare now for a little surprise! Open the CMD shell (by executing CMD from
    the desktop 'run' menu), change to XP's base directory (..\WINNT by default) and
    issue the command DIR EGEDI* from the command line. The system will return
    EGEDIT~1.EXE. Type now just EGEDIT~1, with no extension name, and then press
    Enter. REGEDIT will open normally!

    What the above experiment shows is that the Explorer and CMD shells, do parse
    file and extension names quite differently and whether a file is considered an
    executable depends on the parser.

    All that your experiment tells is that Antivir PE interprets just the first
    three characters of the extension name in order to determine whether the file
    type is in the list of extensions that need be verified. Nothing beyond that.

    If you want to be safe, then change the extension name to EX~, DL~, SC~ for
    castrated exe, dll, and scr, respectively, rather than appending the original
    extension name, like you did.

    Don't forget to delete Egedit when done with the experiment (Windows will keep
    the protected original file, and rename a copy).

    Regards, Zvi

    NetZ Computing Ltd. ISRAEL (Hebrew)
    InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities

  • Next message: Zvi Netiv: "Re: Running program files on XP with non-executable extension?"