Author Topic: Are jpgs currently low risk?  (Read 2987 times)

0 Members and 1 Guest are viewing this topic.

AnnieMS

  • Guest
Are jpgs currently low risk?
« on: January 04, 2010, 08:51:40 PM »
I have WinXP SP3 and am in the process of setting up/learning avast 4.8 prof. The user's manual or help feature mentioned excluding folders w/ a large number of pictures as an option. You can also configure to scan by name extension and I'm guessing jpgs aren't one of the default extensions.

Is the exclusion of jpgs meant for quicker daily scans w/ good practice to run a more complete scan weekly? Does real-time protection check jpgs if I open or download one?

A recent Trend Micro Housecall scan on my computer detected 3 rootkits and 6 trojans of the "Troj IFrame CP" type - all files IDed as trojans had jpg extensions. [This scan is reason I'm switching AV program to avast - highly recommended several forums]. I'm assuming the scan results were accurate and I was guessing an IDed trojan was the bearer of the rootkits. Can jpgs be altered to carry trojans that carry rootkits?  A different type file could have been given a jpg extension, right?

Are malicious jpgs or malicious files labeled as jpgs currently rare? Are "bad" gifs only on webpages and protection = not going on those webpages?

norel

  • Guest
Re: Are jpgs currently low risk?
« Reply #1 on: January 04, 2010, 09:35:34 PM »
Hi, I can answer one of your questions.

Yes, avast! scans all files downloaded from the internet if the Web Shield and Network Shield are enabled. The Web Shield has a feature called 'Intelligent Stream Scanning' which scans files bit by bit as they're downloaded. If any malware is detected it stops the download and won't let it continue. If you don't want to use Intelligent Stream Scanning you can disable it, but avast! still scans downloaded files by placing the whole file in a temporary folder then scanning.

The only reason I can think of to turn it off might be to increase download speed. I tried that but didn't notice any difference. It's a nice little feature. :)

Offline scythe944

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2913
    • My Tech Blog
For generic computer (not avast) problems, you can also visit my forum for help: http://www.jacobytech.net/forum

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89333
  • No support PMs thanks
Re: Are jpgs currently low risk?
« Reply #3 on: January 04, 2010, 11:06:33 PM »
I beg to differ, there are many .jpg exploited files reported in the viruses and worms forum. Most people don't think an image can be infected and yes some of them can be infected and that means that they have to be scanned by default.

I have actually seen a jpg file that an iframe tag at the bottom of it, I don't know how effective that would be, but when viewed in your browser I don't know. It does however beg the question why they would insert the iframe tag at the bottom of the jpg file if it couldn't be exploited.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

spg SCOTT

  • Guest
Re: Are jpgs currently low risk?
« Reply #4 on: January 05, 2010, 12:40:16 AM »
I beg to differ, there are many .jpg exploited files reported in the viruses and worms forum. Most people don't think an image can be infected and yes some of them can be infected and that means that they have to be scanned by default.

I have actually seen a jpg file that an iframe tag at the bottom of it, I don't know how effective that would be, but when viewed in your browser I don't know. It does however beg the question why they would insert the iframe tag at the bottom of the jpg file if it couldn't be exploited.

A recent example: http://forum.avast.com/index.php?topic=52860.0

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89333
  • No support PMs thanks
Re: Are jpgs currently low risk?
« Reply #5 on: January 05, 2010, 01:25:36 AM »
Whilst this one is related to being a .jpg it isn't actually a jpg but an html file inside the .jpg.

So technically not a jpg file regardless of what it is called. This is actually exploiting the ability to run the html contents of either a modified .jpg or an inserted file with a .jpg extension.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline scythe944

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2913
    • My Tech Blog
Re: Are jpgs currently low risk?
« Reply #6 on: January 05, 2010, 04:52:30 PM »
Right, like I said it's possible.  But how often do you see malformed jpgs with things embedded in them, or with scripts that open viruses in them?

I think a virus with a .jpg extension would be more probable though.
For generic computer (not avast) problems, you can also visit my forum for help: http://www.jacobytech.net/forum

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re: Are jpgs currently low risk?
« Reply #7 on: January 05, 2010, 09:44:11 PM »
I can never keep straight the differences in parameters between avast's on-demand scanners and its resident, on-access providers.  So I'll restrict this comment to on-demand scans.

The Help files are quite helpful on this point. If I recall correctly, the "strength" you select for such a scan is primarily directed to file types and their extensions, particularly where the two don't agree.  And my apologies if I've misquoted anything, I'm working from (admittedly questionable) memory, and hopefully I'm close enough to be at least somewhat helpful.

A simple scan works strictly from file-name extensions, regardless of what's actually in the file.  So if an exe or a dll has, for example, a .txt extension, the simple scan will most often skip over it simply because of the extension.

A standard scan, which is probably what most of us use most often, works the other way around, by determining for itself what type a file really is (from its content) rather than from what it's "called" (i.e., its extension).

And a advanced (extended?) scan will scan all files on your system, ignoring both file-type and extension, other than whatever specific exclusions you've set up.
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

AnnieMS

  • Guest
Re: Are jpgs currently low risk?
« Reply #8 on: January 05, 2010, 10:44:17 PM »
Thanks to all for the info and links.

If I understood what I read, it is possible to use jpgs for malicious intent and if conditions are right - like the gdi thing in MS programs in 2004 - that could be a problem. Currently, jpegs aren't on the effective or likely threat lists.

So, if I do an initial scan of my current picture folders and use Intelligent Stream Scanning [I do have it checked] via web shield, I can then safely speed up my scans by excluding jpgs or picture folders-even if jpgs become a problem in the future and I'm slow to find out about the threat [very likely].

It's going to take me awhile to learn pro because I'm not a pro, but I wanted the ability to configure different types of scans that I could schedule at different times and the scan results storage function. I just don't want to configure a security hole while I'm learning. I think scanning by extension is a pro thing - you have to understand how the threats gain entrance and what programs/policies you have in place to block them to use that safely. I don't actually have a clue why one would scan by extension.

So I'm sticking to the scan all files option and exclude by folder -after checking I don't have some other type files in my picture folders and then keep picture folders exclusive for pictures. I can exclude archive files on the packers page.