I am setting up a Linux box to examine malware samples. I wanted to create a directory where I could safely unzip each sample and run very basic triage commands against the file to collect information about the sample (for example, hashing the sample). In order to make sure that I do not inadvertently execute the sample, I wanted to ensure that the directory contents is non-executable.
Is it safe to merely chmod -R -x the directory and its contents before examining or should I mount a separate partition using noexec? Functionally they accomplish the same thing, but is one preferable over the other (or both!) in the case of malware interrogation and why?
