Scan files for hidden executable contents

Attackers have multiple options when it comes to disguising executable files on a system to trick users into running them.

A common approach is to make use of Windows' option to hide known file types which may make it more difficult for users to identify the type of a file.

There are other options, for instance using the Right to Left Override trick to reverse part of the file name to change the file extension without modifying most of the file name or rename executable file extensions to safe file extensions and run the files manually using system commands.

While antivirus software may spot some of these attempts and block them, it is likely that at least some attempts are not detected right away.

The free program MZReveal scans the root directory and all subdirectories it is placed in automatically for hidden executable file types.

The program is portable and you can run it right from Windows Explorer. It displays a prompt when you execute it asking you to say yes or no to bare filenames.

Once you have made the selection it will scan all files in all directories under that root folder. The scan is very fast, it took less than half a second to go through more than 3000 files for example.

Results are displayed in the prompt but it is closed seconds afterwards which means that you cannot go through them on the screen.

MZRevealer creates a log file in the root directory after the scan that you can load in any text editor to do so.

The log file lists all hidden executable files and their path on the system. Note that the author refers to PE (Portable Executable) files which means that the program won't find .exe files only but also .dll files and several other formats including screensavers or drivers.

The discovery of disguised executable files in the directory is not necessary a bad thing but it makes sense to go through each file, maybe scan it locally or on Virustotal, to make sure it is clean and not malicious in nature.

Verdict

The author announced that the program will receive updates in the near future with additional switches and options.

For now, it is a handy program to have even though you may not run it regularly on your system.