Analyze files for malware and more with Safer Computing’s FileAlyzer
FileAlyzer is a file analysis tool from Safer Computing, the developer of Spybot -- Search & Destroy. Its focus is on helping experts check unknown executables for signs of malware, but has many other uses and applications.
Launch the program, open an EXE and FileAlyzer opens a report window with no less than 21 tabs. It’s a little intimidating, but the initial "General" tab is gentler, focusing on a few basic details: location, size, version, create/ last access/ last write times, attributes, and a few hashes (CRC-32, MD5, SHA-1).
The "PE Header" tab displays various details from the program header. Most can safely be ignored, but there are a few interesting items: "Machine" will tell you whether this is a 32 or 64-bit executable, for instance, while "Sub system" identifies it as a GUI or console program.
The "PE Resources" section lists icons, bitmaps and whatever other resources the file may contain. By default these get very cryptic hex labels -- bitmap "170", "0C09"" -- but left-clicking any of these displays a preview, and a right-click menu has options to copy the resource to the clipboard, or save it to a file.
The "Hex" tab is particularly useful if you’re trying to find out what an executable does. It opens as a standard hex viewer, enabling you to scroll through the file. Right-click and select "Search for strings", though, and FileAlyzer lists the text strings your file contains, any Registry keys, URLs, file names and GUIDs. This isn’t exhaustive -- the program may access other Registry keys, even if they’re not listed here -- but the report can still give you very useful information on a file’s purpose.
A "VirusTotal" tab has a "Submit" button which, presumably, should send your file for analysis. Unfortunately, it didn’t seem to do anything at all on our test system. FileAlyzer hasn’t been updated since 2011, so perhaps it’s just broken.
The "Classification Sources" tab runs a search for your file hash in more places: Google, Bing, Yahoo!, Threat Expert, Comodo, and (again) VirusTotal. Annoyingly, just clicking "Classification Sources" caused FileAlyzer to hang for some time, presumably as it waited for the results. But eventually it came back to life, and this time did deliver useful results (including from VirusTotal).
The remaining tabs gradually get more complex, listing your file NTFS streams, its function imports and exports and PE sections -- there’s even a disassembler. But if you’ve had enough, all the key file details may be exported as a text, HTML or XML report, or just copied to the clipboard for reuse wherever you like.
FileAlyzer desperately needs an update. And it should be portable, too. Most of its features still work just fine, though, and if you ever need to analyze files on your own PC then FileAlyzer will be able to help.