OPSWAT Announces FileScan.IO Asset Acquisition. Read More

Blocking Malicious File Uploads, Part 1: Best Practices

Blocking Malicious Files

In order to keep a business running properly, you need to share files with and from internal employees, partners, and customers. File uploading is usually done by the departments that often handle sensitive data — accounting, HR, legal, etc. However, users no longer need to install a rogue application in order to get infected — that can happen by opening what appears to be a resume, an invoice, a courier receipt, or any other productivity file.

Any files coming inside an organization should be audited and analyzed, even when the sender seems to be a trusted, reliable source.

To ban file uploads altogether would be impractical. Clearly, it is necessary to make file uploading and importing more secure in order for businesses to function.

See Part 2 of this series.
See Part 3 of this series.

Productivity Files and File Uploads

The most commonly uploaded and shared files in office settings are:

  • Microsoft Office files: doc(x), xls(x), ppt(x), etc.
  • Images: jpeg, png, tiff, etc.
  • PDFs


Most day-to-day activities rely on these file types, and at first glance, they seem harmless. But advanced features in these file formats can be exploited by attackers. Most people are aware of malicious macros, but Microsoft Office documents (and not just Word or Excel files) can contain many other kinds of advanced threats as well. For example, OLE objects disguised as embedded multimedia or script-enabled ActiveX controls can be configured by attackers to download malicious payloads. PDFs may contain JavaScript that performs malicious actions.

Below are a few examples of how easy it was for hackers using regular productivity files to target enterprises or government agencies with high-security standards:

*HWP documents are widely used in South Korea.

Additionally, malicious files can be disguised as one of these file types — these are called "spoofed" files.

First Steps to Keeping File Uploads Secure

Every organization has different workflows and different security needs. When designing a strategy to keep productivity file uploads secure, it's important to assess your unique situation. Start by asking questions like:

  • How many restrictions can you add without impacting productivity?
  • How much can you rely on user training? How confident are you that your users will actually apply everything they learn in security training?
  • Even if you will first open files in a sandbox environment, how confident are you that the simulated environment will replicate to perfection the real environment?

Also consider your use case. When and why do users need files uploaded on your portal? What formats are used? What are the risks in allowing those files to enter your organization?

If you are simply receiving scanned documents or resumes, collaborating with your partners' drafting agreements, or sharing invoices or POs:

  • Why would you allow a PDF with embedded JavaScript?
  • Are you sure you can trust a document that contains hyperlinks, macros, OLE objects, or ActiveX controls?
  • How do you know if an image is legitimate and hasn't been crafted by an attacker?

But it's one thing to decide that any files containing scripts or macros should not enter an organization; it's another thing to enforce that policy. It is not a simple matter to determine what exactly a file contains without opening it.

This is why further steps are necessary to block malicious files disguised as common productivity files.

Best Practices

Only allow certain types of file formats. This is a simple but necessary step. The idea is to block any file that will not impact your team's productivity, while avoiding unnecessary risks. Make business-driven decisions about which kinds of files employees and users need, and which kinds are unnecessary. Doing so will eliminate only a small part of the risk of malicious file uploads, but it's a start.

Block unnecessary file types, disguised files, and spoofed files. Identifying and verifying the true type of a file is a tricky thing. A lot of file verification solutions rely on merely reading the file extension. This is actually more dangerous than not having a solution in place at all, since users will expect that any file that comes through is safe to open. In fact that's not true — faking the true type of a file is a very old method of hiding malicious software, and any hacker worth their salt will take this step.

Additionally, with the simplified interfaces of contemporary operating systems that don't display already-known file extensions, it's even easier for a spoofed file to hide in plain sight.

It is essential to find and implement a solution that can identify the true type of a file even when it is disguised.

Don't make the exception a rule. If only the design team needs to use and upload .psd and .ai files, set customized rules for them, rather than allowing everyone to use those files. Keep the general allowed file types set to a minimum.

Set up security policies that exceed the bare minimum. This may involve creating a custom solution for your application or organization. The best approach is to integrate with anti-malware scanning software so that all file uploads are scanned for malware, and all files containing malicious content are detected. An anti-malware integration of this kind would require the use of antivirus APIs.

OPSWAT Antivirus API

Using a MetaDefender API integration, all file uploads will be scanned — not just with one anti-malware engine, but with 30 or more, without significantly impacting user experience or upload speed.

At the end of the day, advanced threats require more advanced prevention measures. There is no one-size-fits-all solution out there.

See Part 2 of this series.
See Part 3 of this series.

For more information, please contact one of our cybersecurity experts.

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.