Only allow active content in exceptional cases
Active content (e.g. Flash or Java in web browsers, macros in MS Office files) are very often used to infect systems with malware. One of the most common ways of infecting a computer with malware is when users open up an infected file. Especially email attachments pose a great risk (e.g. PDF, Word or Excel files). If you can only use a website or document with active content, this is a definite red flag.
In particular situations, the operating system or respective application (e.g. your email client, web browser or archive programme) will warn you before saving and opening such risky files or scripts. The systems, however, do not always recognize such files/scripts, and, even if you get a warning message, it is up to you to choose what to do (e.g. whether you choose to trust the file or delete it).
Deactivate active content if you do not absolutely need it:
- Configure Microsoft Office or use LibreOffice so that (most) macros do not work in word processing files. If macros are required for certain internal processes, then macros should only be allowed with a pre-defined digital signature.
- Activate the secure mode in Acrobat Reader or use another PDF reader, like Sumatra (for Windows) or XpdfReader, that do not open active content (see PDFreaders.org).
- Use add-ons (like NoScript) to block scripts in browsers and make “drive-by” infections more difficult.
- Deactivate Flash plug-ins and Java (if installed) on your web browser so that these cannot be executed unintentionally.
Dealing with suspicious files
If you receive a file from an unknown or suspicious source or it is an unexpected or suspicious-looking file, you should definitely scan it manually for malware before opening it. Anti-virus software usually offer the option to manually check files and folders directly in Explorer (save items to the disk drive but do not open them). To do so, simply right click on the file/folder and select “Mit Sophos Anti-Virus überprüfen” (scan with Sophos Anti-Virus) from the list.
If a file has active content (like macros in MS Office files or scripts in PDF files), you should deactivate this content because it could contain malware.
Please contact the sender before taking any further steps, because it is possible that an infection is spreading on its own from his/her computer or the named sender of the email has been faked.
If, after contacting the sender, you are not entirely sure, you can open the suspicious file in a “sandbox” where the software it may contain cannot, in most cases, cause any damage to the host system.
- This can, for example, include using a virtual machine created using VirtualBox (or a similar programme) or the sandbox mode integrated in Windows10 1903 and newer.
- You can also use programmes for virtualizing applications, like Sandboxie.
If you would like to edit the file/folder in the live system or pass the file/folder on to someone else, then you should use the sandbox environment to convert the suspicious file into another suitable format without the active content in the original file, for example:
- PDF files: Open a file using a PDF viewer and print the file as a PDF file.
- MS Office files: Open the file using LibreOffice and export it as a PDF file.
Less experienced users can contact their system administrator or the KIM support team for assistance.