Are jpgs currently low risk?

[AnnieMS]

I have WinXP SP3 and am in the process of setting up/learning avast 4.8 prof. The user's manual or help feature mentioned excluding folders w/ a large number of pictures as an option. You can also configure to scan by name extension and I'm guessing jpgs aren't one of the default extensions.

Is the exclusion of jpgs meant for quicker daily scans w/ good practice to run a more complete scan weekly? Does real-time protection check jpgs if I open or download one?

A recent Trend Micro Housecall scan on my computer detected 3 rootkits and 6 trojans of the "Troj IFrame CP" type - all files IDed as trojans had jpg extensions. [This scan is reason I'm switching AV program to avast - highly recommended several forums]. I'm assuming the scan results were accurate and I was guessing an IDed trojan was the bearer of the rootkits. Can jpgs be altered to carry trojans that carry rootkits?  A different type file could have been given a jpg extension, right?

Are malicious jpgs or malicious files labeled as jpgs currently rare? Are "bad" gifs only on webpages and protection = not going on those webpages?

[norel]

Hi, I can answer one of your questions.

Yes, avast! scans all files downloaded from the internet if the Web Shield and Network Shield are enabled. The Web Shield has a feature called 'Intelligent Stream Scanning' which scans files bit by bit as they're downloaded. If any malware is detected it stops the download and won't let it continue. If you don't want to use Intelligent Stream Scanning you can disable it, but avast! still scans downloaded files by placing the whole file in a temporary folder then scanning.

The only reason I can think of to turn it off might be to increase download speed. I tried that but didn't notice any difference. It's a nice little feature.

[scythe944]

http://stason.org/TULARC/security/computer-virus-l/64-Can-a-virus-hide-in-a-GIF-or-JPEG-file.html

http://antivirus.about.com/od/securitytips/a/jpgflaw.htm

http://www.security-forums.com/viewtopic.php?t=12541&sid=ac62bf660d2f92d792bda0b17134dd1a

In short, yeah it's possible. Not very likely though.

[DavidR]

I beg to differ, there are many .jpg exploited files reported in the viruses and worms forum. Most people don't think an image can be infected and yes some of them can be infected and that means that they have to be scanned by default.

I have actually seen a jpg file that an iframe tag at the bottom of it, I don't know how effective that would be, but when viewed in your browser I don't know. It does however beg the question why they would insert the iframe tag at the bottom of the jpg file if it couldn't be exploited.

[spg SCOTT]

I beg to differ, there are many .jpg exploited files reported in the viruses and worms forum. Most people don't think an image can be infected and yes some of them can be infected and that means that they have to be scanned by default.

I have actually seen a jpg file that an iframe tag at the bottom of it, I don't know how effective that would be, but when viewed in your browser I don't know. It does however beg the question why they would insert the iframe tag at the bottom of the jpg file if it couldn't be exploited.

A recent example: http://forum.avast.com/index.php?topic=52860.0

[DavidR]

Whilst this one is related to being a .jpg it isn't actually a jpg but an html file inside the .jpg.

So technically not a jpg file regardless of what it is called. This is actually exploiting the ability to run the html contents of either a modified .jpg or an inserted file with a .jpg extension.

[scythe944]

Right, like I said it's possible.  But how often do you see malformed jpgs with things embedded in them, or with scripts that open viruses in them?

I think a virus with a .jpg extension would be more probable though.

[MikeBCda]

I can never keep straight the differences in parameters between avast's on-demand scanners and its resident, on-access providers.  So I'll restrict this comment to on-demand scans.

The Help files are quite helpful on this point. If I recall correctly, the "strength" you select for such a scan is primarily directed to file types and their extensions, particularly where the two don't agree.  And my apologies if I've misquoted anything, I'm working from (admittedly questionable) memory, and hopefully I'm close enough to be at least somewhat helpful.

A simple scan works strictly from file-name extensions, regardless of what's actually in the file.  So if an exe or a dll has, for example, a .txt extension, the simple scan will most often skip over it simply because of the extension.

A standard scan, which is probably what most of us use most often, works the other way around, by determining for itself what type a file really is (from its content) rather than from what it's "called" (i.e., its extension).

And a advanced (extended?) scan will scan all files on your system, ignoring both file-type and extension, other than whatever specific exclusions you've set up.

[AnnieMS]

Thanks to all for the info and links.

If I understood what I read, it is possible to use jpgs for malicious intent and if conditions are right - like the gdi thing in MS programs in 2004 - that could be a problem. Currently, jpegs aren't on the effective or likely threat lists.

So, if I do an initial scan of my current picture folders and use Intelligent Stream Scanning [I do have it checked] via web shield, I can then safely speed up my scans by excluding jpgs or picture folders-even if jpgs become a problem in the future and I'm slow to find out about the threat [very likely].

It's going to take me awhile to learn pro because I'm not a pro, but I wanted the ability to configure different types of scans that I could schedule at different times and the scan results storage function. I just don't want to configure a security hole while I'm learning. I think scanning by extension is a pro thing - you have to understand how the threats gain entrance and what programs/policies you have in place to block them to use that safely. I don't actually have a clue why one would scan by extension.

So I'm sticking to the scan all files option and exclude by folder -after checking I don't have some other type files in my picture folders and then keep picture folders exclusive for pictures. I can exclude archive files on the packers page.