File analysis can be divided into two types: static, where a file is examined without being executed, and dynamic, where the file is run in a safe environment (a test machine or a virtual machine, such as a sandbox). Here, I will describe how to set up a working environment for safe static analysis of malicious files in Windows.
First, it’s important to note that following all of the rules listed below will not fully protect you from infection or data loss caused by careless handling of malicious files. However, they will significantly improve the reliability of your working environment.
So, what risks do we face when analyzing malware?
Accidental execution of a file
Exploitation of vulnerabilities in analysis tools
Antivirus blocking tools or deleting the analyzed file
Let’s go through them one by one.
At first glance, during static analysis we are not supposed to run files, but accidental execution is the most common mistake caused by human factors. To avoid this, it is recommended to follow three main rules:
Work in a single directory
Keep all analyzed files and related artifacts in one directory and its subdirectories. For example, a main directory Work with subdirectories like Collection, Tasks, Bugs, each with their own structure. Regardless of how you organize your workflow—whether you analyze files in one directory and store results in another (e.g., Work\Tasks\Task_{ID}), or keep everything within a single case directory—you and the OS (more on that below) should treat this directory as potentially dangerous.
Use file extensions unknown to the OS
You can simply add an underscore to the file extension or replace one of its characters. In Windows, all recognized extensions are registered in the system registry. If the extension is unknown, the OS will prompt the user to choose how to open the file.
Prevent execution of files in the working directory
This can be configured using Local Group Policy.
Open the Local Group Policy Editor: Win + R → gpedit.msc → Enter
Navigate to: Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies
Find Designated File Types and open it. In the dialog, you will see a list of extensions to which execution restrictions apply. You can modify or expand this list as needed.
Next, create a rule: Go to Additional Rules, right-click, and select New Path Rule.
In the dialog window:
Specify the path to your working directory
Set Security level to Disallowed
Click OK
The rule will appear in the results pane under Additional Rules.
To verify that the rule works, create a simple script file in the working directory (e.g., with content echo 123). If execution is blocked, Windows will display a warning.
---
Exploitation of vulnerabilities in analysis tools
In my experience, I haven’t encountered this directly (or perhaps didn’t notice), but there is always a small chance of encountering a malicious “surprise.” Applications used for malware analysis may contain vulnerabilities that allow execution of malicious code. Some tools even display warnings about this.
This is especially true for free software, which may include hidden functionality. The key rule here is: keep your tools up to date. If you are unsure about the reliability of a tool, run it in a secure environment, just as you would for dynamic analysis.
---
Antivirus interference
It is advisable to have antivirus software installed on your Windows machine. While it can sometimes be inconvenient, it usually does its job well, often without you even noticing potential threats.
When working with malware, configure your antivirus to exclude your working directory and its subdirectories from scans. This is usually enough to prevent analyzed files from being quarantined (and they can be restored if needed). In some cases, you may also need to add analysis tools to the trusted list. Do this only when necessary, not for all applications at once.
---
These are the basic rules for working with malicious files. However, there are other risks and inconveniences, such as accidentally deleting artifacts or someone accessing your working directory and making unintended changes. In my opinion, these are secondary factors outside the main workflow.
First, it’s important to note that following all of the rules listed below will not fully protect you from infection or data loss caused by careless handling of malicious files. However, they will significantly improve the reliability of your working environment.
So, what risks do we face when analyzing malware?
Accidental execution of a file
Exploitation of vulnerabilities in analysis tools
Antivirus blocking tools or deleting the analyzed file
Let’s go through them one by one.
At first glance, during static analysis we are not supposed to run files, but accidental execution is the most common mistake caused by human factors. To avoid this, it is recommended to follow three main rules:
Work in a single directory
Keep all analyzed files and related artifacts in one directory and its subdirectories. For example, a main directory Work with subdirectories like Collection, Tasks, Bugs, each with their own structure. Regardless of how you organize your workflow—whether you analyze files in one directory and store results in another (e.g., Work\Tasks\Task_{ID}), or keep everything within a single case directory—you and the OS (more on that below) should treat this directory as potentially dangerous.
Use file extensions unknown to the OS
You can simply add an underscore to the file extension or replace one of its characters. In Windows, all recognized extensions are registered in the system registry. If the extension is unknown, the OS will prompt the user to choose how to open the file.
Prevent execution of files in the working directory
This can be configured using Local Group Policy.
Open the Local Group Policy Editor: Win + R → gpedit.msc → Enter
Navigate to: Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies
Find Designated File Types and open it. In the dialog, you will see a list of extensions to which execution restrictions apply. You can modify or expand this list as needed.
Next, create a rule: Go to Additional Rules, right-click, and select New Path Rule.
In the dialog window:
Specify the path to your working directory
Set Security level to Disallowed
Click OK
The rule will appear in the results pane under Additional Rules.
To verify that the rule works, create a simple script file in the working directory (e.g., with content echo 123). If execution is blocked, Windows will display a warning.
---
Exploitation of vulnerabilities in analysis tools
In my experience, I haven’t encountered this directly (or perhaps didn’t notice), but there is always a small chance of encountering a malicious “surprise.” Applications used for malware analysis may contain vulnerabilities that allow execution of malicious code. Some tools even display warnings about this.
This is especially true for free software, which may include hidden functionality. The key rule here is: keep your tools up to date. If you are unsure about the reliability of a tool, run it in a secure environment, just as you would for dynamic analysis.
---
Antivirus interference
It is advisable to have antivirus software installed on your Windows machine. While it can sometimes be inconvenient, it usually does its job well, often without you even noticing potential threats.
When working with malware, configure your antivirus to exclude your working directory and its subdirectories from scans. This is usually enough to prevent analyzed files from being quarantined (and they can be restored if needed). In some cases, you may also need to add analysis tools to the trusted list. Do this only when necessary, not for all applications at once.
---
These are the basic rules for working with malicious files. However, there are other risks and inconveniences, such as accidentally deleting artifacts or someone accessing your working directory and making unintended changes. In my opinion, these are secondary factors outside the main workflow.
