GIMP Sandbox Security Recommendation

[Salv]

Hey, not sure if is the right forum for this but hopefully it can be moved if not.

I've had GIMP for months now (and Avast even longer) but today I launched the program and as it loaded, I was given a security warning about a potentially unsafe application, a GIMP plugin. The information shown is the following:

File: C:\Program Files\GIMP-2.0\lib\gimp\2.0\plug-ins\gap_vid_enc_avi.exe
Origin: http://fc04.deviantart.net/fs24/f/2009/255/1/4/GAP_2_6_for_Gimp_2_6_Windows_by_photocomix_resources.zip
Opened by: C:\Program Files\GIMP-2.0\bin\gimp-2.6.exe

This has never happened before, so I scanned the GIMP folder and the exe with Avast and Malwarebytes' Anti-Malware. There was no infection so I closed and un/reinstalled GIMP with the GAP plugin. Launching the program causes the same recommendation appear every time.

I'm really not sure what to do. Could anyone offer some advice? I'm uncertain about how to proceed and I just don't know whether the program is safe. Thanks.

[DavidR]

It is a recommendation based on a number of things, it is just another layer which may prevent zero day stuff getting on to your system:
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn't had a definitive detection.

However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.

Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.
- E:\Images\CapturedScreenPrint\avast6\6alerts\auto_sandbox6.png

[SHARKY7SHARKY]

Sal you should give PhotoScape a try, I prefer that to Gimp

[YoKenny]

I prefer Paint.NET
http://www.getpaint.net

[iyogisolutions1]

Hi Salv

As you were using GIMP for months. So it is a legitimate software. You can add exclusion in the sandbox
 
For adding the exclusion. Please open up the Avast UI --> additional protection --> sandbox --> exclusions --> then browse the location of the GIMP executable file : C:\Program Files\GIMP-2.0\bin\gimp-2.6.exe and Plug in file : C:\Program Files\GIMP-2.0\lib\gimp\2.0\plug-ins\gap_vid_enc_avi.exe as well

and You can add the link: _http://fc04.deviantart.net/fs24/f/2009/255/1/4/GAP_2_6_for_Gimp_2_6_Windows_by_photocomix_resources.zip.

If you face that issue still please let us know.

Have a Wonderful day. Good k@rma!

[spg SCOTT]

Ignore the previous posts about other software.

Gimp uses many files/plugins etc...that will cause many autosandbox alerts...

It was the reason that I turned the sandbox off when it first appeared.

Since there is no way to exclude a folder, you will have to exclude each one...I have done that now, but still occasionally get ones for Gimp plugins that I haven't used yet.

[DavidR]

@ Salv
It doesn't matter what other users think might be a better option, that isn't what the you are asking, but how to keep using GIMP as you have for months.

IF you get an autosandbox pop-up follow what I said if you are sure it is clean and open normally and check the remember my answer for this program. Whilst as Scott said you may get more than one pop-up, it wouldn't take long for your regularly used files/plugins were covered (if the autosandbox pinged them).

[Salv]

Thanks for all the replies, didn't expect so many so quick.

Unfortunately, I'm used to GIMP by now so I'd prefer not to switch to anything else but I'll keep those alternatives in mind should the situation require it.

Because of your response, DavidR, I think it's okay to assume the file is safe. It's a small plugin so it's unlikely it would be digitally signed. Luckily, this is the only thing triggering the sandbox recommendation so I shall have Avast remember to allow it to run normally.

Appreciate the help, so thanks again.

[DavidR]

You're welcome.

The main thing is that it is A) known, that you installed it from a known source and B) there were no alerts from other avast shields.

If this were an unknown program/file from an unknown source and you didn't install it then it would be a totally different ball game and this extra level of security could protect from unknown/undetected zero day exploits/infections.

It would also allow for checking at another virus scanning source like VirusTotal:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner.

[spg SCOTT]

Thanks for all the replies

You're welcome.

Each effect, uses another plugin...which may well cause an autosandbox alert...

Just a selection of my exclusions list...

(I use the portable version of GIMP and others...many of which fill the exclusions list...the portable factor may also have an effect in differentiating how many alerts you get compared to me.)

Also, slightly OT, but...bug in the displaying of the path? Doesn't fill the space?

[DavidR]

I think the portable factor would make the autosandbox more sensitive I believe.

[Tetsuo]

Hi Salv,

I too use the portable version of GIMP. The best thing to do in my opinion is to try following all David's suggestions.

On a side note - perhaps someone could find this useful for a future reference - I'm using also a HIPS security software and I had to add the plugins folder to the HIPS's exclusions list, just to avoid a very large number of warning pop-ups on the first program start - the reason, as explained by spg SCOTT in his post, is that Gimp uses many executables during the initialization.