If you are curious about a file you’re viewing through Windows—and thus can see its name and where it resides on your system—then the first thing you should do is right-click the file name and choose Properties from the pop-up menu. The Properties dialog box will have tabs that contain information, such as when the file was created, the name of the company that created it, and the program that opens the file. The information given here isn’t necessarily comprehensive, but it’s a start.

Your next step is to go online and learn more about the file by brushing up on its extension, the letters in the file name that appear after the period, such as .DOC in a Microsoft Word document file name.

Three excellent resources for this are the Smart Computing file extension list (www.smartcomputing.com
/techsupport/FileExt.aspx), Wotsit.org (www.wotsit.org), and FILExt (filext.com). These sites offer an alphabetical list of file extensions, explaining what the extension stands for and the program(s) with which the file is created or used.

If these extension databases don’t offer what you’re looking for, use a search engine to find an explanation. That search may lead to another extension database, or to the company that makes the program that uses the file.

Program Processes

Special care must be taken, however, when the unknown file is an .EXE or other executable file. A program process is another way of referring to this type of file. Mostly, program processes run in the background on your system. In fact, you may be surprised to see just how many processes are running at once, even if you have few programs open.

To see what we mean, open the Windows Task Manager (press CTRL-ALT-DELETE simultaneously). First, click the Applications tab. You’ll see all the programs and files you’ve opened, such as Microsoft Word and Internet Explorer.

Now click the Processes tab. Because this is a list of programs running on the computer, everything listed here is an executable file. You’ll also notice that there are far more processes listed than applications. In fact, at one point when we opened the Task Manager on our system, the Application tab listed one open program, but the Processes tab listed 47 processes running. As mentioned, processes work in the background, including those processes you don’t want on your system.

Unfortunately, viruses, Trojans, spyware, and adware can also be executable files, and sometimes their authors give them the same names as legitimate files, or they take on the same name as legit files once they invade your system.

We found an informative site for learning about executable files and distinguishing between the good, the bad, and the unnecessary. The Uniblue Process Library (www.processlibrary.com) lists and defines executable files that are a legitimate part of Windows and other programs, such as drivers for peripheral hardware devices, as well as those that pose security risks and shouldn’t be on your system. You can use this library freely.

We learned from the Process Library that the CcApp.exe file on our system provides autoprotect and email checking capabilities for Norton AntiVirus. If the file is removed, the program won’t function properly—in fact, the site warns not to terminate the file.

On the other hand, Process Library also informed us that a file by this same name is a process that belongs to an advertising program. This file collects data about the user's browsing habits and sends the information back to the servers of the author of the file. In addition, the file generates pop-up ads. Process Library urges the removal of this file.

So the question becomes, how do you determine whether the executable file in question is good or bad? One answer is that it depends on the part of your system from which it is operating. If it is tucked in the folder of the program it should belong to—as the CcApp file on our system is—then you should be OK. Therefore, if you find an executable file on your system you’re not sure about, check with the Process Library to identify it and then use the Search command (click Start and then Search) to determine where the file is located on your system. Finally, read what the Process Library recommends about keeping or deleting the file.

In addition, you should check with the Web site of the manufacturer of the antivirus program you use. Sites such as Symantec (www.symantec.com) and McAfee (www
.mcafee.com), which are leading makers of antivirus software, include the most up-to-date information about viruses, Trojans, spyware, and adware. For example, on the McAfee home page, the Threat Center lists the names of the most recent problem files. Click the name of the file, and you’ll learn such details as the type and subtype of the file, when the file was discovered, what it will do to your computer, and what level of risk it poses.

FileAdvisor

If your system is protected with an AV program that you keep updated, you should rarely, if ever, encounter a file on your system that poses a threat.

But if you want an extra layer of protection try FileAdvisor, a free search engine you can download from Bit9 (www.bit9.com/products/fileadvisor.php) or use on the Web (filead
visor.bit9.com/services/search.aspx). The catalog indexes millions of executable files, drivers, and patches that make up programs designed for Windows, as well as malicious files that can disrupt or damage your system. With the click of a button, you can submit a name or hash (a string of numbers contained in the file) of an unknown file and receive a host of identifying information about it. With FileAdvisor, you get all the advantages offered by the other Web sites and tools we’ve mentioned from one source.

by Rachel Derowitsch