Author Topic: Any other real-time file system shield "magic" extensions?  (Read 3821 times)

0 Members and 1 Guest are viewing this topic.

dave18

  • Guest
Any other real-time file system shield "magic" extensions?
« on: December 02, 2010, 08:23:47 PM »
Hello everyone!

I recently installed the free antivirus program (version 5.0.677) with just the file system shield. In the real-time file system shield settings I have:

"Scan documents when opening" unchecked
"Scan files when writing" checked

Under "Expert Settings", I have none of the "Scan when opening" options checked.

So with these settings, I am trying to keep avast from scanning any files I just open for reading. The problem is, any file with a ".jpg" extension gets scanned when I read it. As far as I can tell, I have not specified ".jpg" as a magic extension anywhere. I do want ".jpg" files scanned when written, but not when read.

Here's what I did to test this. I pulled up the "File System Shield" tab under "Real Time Shields" and noted the "Last file scanned" at the bottom of the screen. I then brought up an Explore window (right click the windows Start button) and find a ".jpg" file. I select the ".jpg" file by single clicking on it. That ".jpg" file now appears as the "Last file scanned".

There's something magic about the extension ".jpg" as this does not happen for other extensions. If I change the ".jpg" extension to something else it does not happen. I can take a ".txt" file and give it a ".jpg" extension and it will be scanned on read.

OK, I just now thought of a work around... I went to "Expert Settings" "Exclusions" and added "*.jpg" to the "R" list and that fixed it. It's not apparent that I should have needed to do this, but there you have it. I also had to add "*.jpeg" as an exclusion.

So that leaves me to ask... are there any other magic extensions that I have to override in the "Exclusions" area? Are these magic extensions published anywhere?

Thanks again for all the help!

-Dave

CharleyO

  • Guest
Re: Any other real-time file system shield "magic" extensions?
« Reply #1 on: December 02, 2010, 08:42:34 PM »
***

There is nothing magical about jpg & jpeg extentions. They are extentions for image files ... such as photographs.


***

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88749
  • No support PMs thanks
Re: Any other real-time file system shield "magic" extensions?
« Reply #2 on: December 02, 2010, 09:48:20 PM »
I think he knows that somehow, what he is saying is why avast considers them magic extensions.

As I explained in his other topic, avast and other AVs would scan files that are at risk of infection (e.g. targeted) and present an immediate risk if run/opened and that is where the jpg exploit comes in.
« Last Edit: December 02, 2010, 09:56:19 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

CharleyO

  • Guest
Re: Any other real-time file system shield "magic" extensions?
« Reply #3 on: December 02, 2010, 09:53:04 PM »
***

Ok, thanks David.   :)

I do not remember reading his other topic.    :-\


***

dave18

  • Guest
Re: Any other real-time file system shield "magic" extensions?
« Reply #4 on: December 03, 2010, 12:01:43 AM »
There is nothing magical about jpg & jpeg extentions. They are extentions for image files ... such as photographs.

LOL! Yeah, as the other David pointed out, I don't consider them "magical", but for some reason avast does.

I was just wondering if anyone else knows what other "magical" extensions there might be to avast.

Thanks.

-Dave

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88749
  • No support PMs thanks
Re: Any other real-time file system shield "magic" extensions?
« Reply #5 on: December 03, 2010, 12:12:46 AM »
I haven't got the list of the files in the default set, but my post outlines what they might be, files that are at risk of infection (e.g. targeted) and present an immediate risk if executed/run/opened, executables most commonly, .exe, .com, .dll, etc. etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dave18

  • Guest
Re: Any other real-time file system shield "magic" extensions?
« Reply #6 on: December 03, 2010, 12:19:38 AM »
As I explained in his other topic, avast and other AVs would scan files that are at risk of infection (e.g. targeted) and present an immediate risk if run/opened and that is where the jpg exploit comes in.

But that same .jpg exploit can be used as a .wmv exploit or a .txt exploit, right? Or even a .whatever exploit. It seems to me that if you want to protect against virus on reads, you should be looking at all reads. But if you only want to protect against virus on writes, then you shouldn't be looking at reads for anything, much less .jpg.

This "special status" of .jpg and .jpeg files seems a little strange and not what I've experienced in other virus programs I've used, that's all.

Quote
files that are at risk of infection (e.g. targeted) and present an immediate risk if executed/run/opened, executables most commonly, .exe, .com, .dll, etc. etc.

But for .exe, .com, and .dll, aren't those handled by the execute options? I like that avast appears to have segregated things by read, write, and execute, but then behind the scenes they appear to be breaking the rules for certain file types.

Oh well, I've got a work around for it. I'll continue to evaluate the program. It looks like avast does some other things based solely on file extension. I'm not sure if I like that, but I'll tweak with it and see how it goes.

Thanks again for the help!

-Dave

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88749
  • No support PMs thanks
Re: Any other real-time file system shield "magic" extensions?
« Reply #7 on: December 03, 2010, 12:33:47 AM »
Well generally text files are inert, can't be executed if they are truly text files.

I don't know if .wmv is on the default list, since they can be exploited then they probably are.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security