How often do you clean out your Downloads folder?

When you download something from a website, the file will be saved in the Downloads folder because of your browser’s default setting. Last time I checked mine, I had almost 2GB of files in the folder—a variety of zipped files, MS Office docs, pictures, and installers.

I suggest that you regularly delete the files you no longer use.

The benefit? The obvious answer is that you can increase your computer’s performance by releasing occupied storage. But more than that, you might delete a computer attack that is exploiting a well-known issue called “DLL Preloading.” [1]

What is the DLL Preloading issue? In short, it’s an attack that uses a Windows application to load a different program library—known as a DLL file—which may or may not come with arbitrary code. If the file comes with such code, you might open a backdoor or an entry point for a remote attack when you execute the application. And you probably won’t know if that happened because what you execute looks normal. Under specific conditions, the application can reference this newly downloaded DLL file instead of the original safe file.

Here’s an example (see the figure below):

  1. In normal conditions, once Alpha.exe is activated, it will refer to a legitimate “schannel.dll” in the System folder
  2. Once a malicious “schannel.dll” is downloaded as the current directory of the Alpha.exe, the application will locate the malicious DLL file first.

Figure: DLL Preloading issue [2]

OK, that’s interesting. But why do I need to be concerned?

Your Downloads folder is commonly used as temporary storage for downloaded files. You might not consider cleaning up the folder because, well, it’s temporary—but it’s actually not. It’s likely that you will copy a downloaded file to another place, and then do other tasks and forget to delete the file from your Downloads folder.

If you don’t regularly clean up the folder, you may not be sure if, and when, you downloaded a malicious DLL file. Then, because you want to install some apps, you download the installer to the same folder. What if the installer programmed to load a DLL and the exact same name DLL is located in the current folder? You will eventually run an arbitrary code.

Like cleaning up your working desk, regular cleanup of your Downloads folder reduces risk and improves computer performance. You may also want to create a new individual folder when you download applications instead of using the default Downloads folder.

As an Endpoint Management and Security Solutions leader, Interfocus focuses on users’ activity on their endpoint. In other words, understanding how end users use their working tool (laptop, mobile, etc.) is fundamental for endpoint security. I will shed more light on securing the endpoint in future Today’s Technology Tips blogs. See you next time.

[1] Best Practices to Avoid Windows Setup Launcher Executable Issues https://flexeracommunity.force.com/customer/articles/INFO/Best-Practices-to-Avoid-Windows-Setup-Launcher-Executable-Issues

[2] More information about the DLL Preloading remote attack vector https://blogs.technet.microsoft.com/srd/2010/08/23/more-information-about-the-dll-preloading-remote-attack-vector/