Saving a friends JPG file to desktop.

Then I open it and PG says file is trying to install a service or driver.

Will I get an answer to this one?

Con

After rebooting and clicking on the JPG, PG obly kicks up an alert on second opening of the JPG not the first.

The warning isn't the file itself but rather it says explorer.exe is trying to install a service or driver when opening the JPG. Properties of the file is set to use Microsoft picture and fax viewer just like my other JPG's

I don't understand why I only get the alert on the one JPG and not any others.

I could try renaming it and see what happens. I think I may have submitted it over on virustotal with nothing found.

After further investigation, I find only JPG's saved from the internet are giving warning, not ones saved from a scan or taken off a disk.

Even though PG is a good program I must give them a 2 out of 5 for support.

Why a 2? I think that is a good number since they know me and still do not respond.

Mr Controler means not too much in their minds.

I won't ask anymore questions.

<snip>

edited to remove off-topic remark - Detox

If anyone is using PG 3.405 could you please go to this site

http://www.kkln.com

download one of the pictures. They all seem to have the funny fram around them, then open it with Windows Picture and Fax viewer?
On my system opening it the first time doesn't set off PG but the second time does or after pic is open, just clicking the zoom button sets off PG. The alert is explorer.exe tried to install service/driver.

I have execution ticked and also all 4 global protection setting ticked.

I just tried the pic on front page and PG does nothing on that one. I have to click on the tab that reads On the Loon and pick either Nate or Melanie, right click and save as to desktop or my pictures.

Thank you

controler

Followed your instructions, with PG 3.405 and no reaction whatsoever.

Thanks

Did you select Melanie or Nate?

I can download any other pictures anywhere and open scanned JPG's and nothing happens. I just think it is very wierd is all.

controler

Well, on my first try I selected Melanie and Nate together, saving the picture to my desktop and opening it wouldn't trigger PG's reaction (same settings as yours).

But then you're right If I select Melanie or Nate on their own, as soon as I open them it triggers PG's alert about a driver installation from Explorer. Is it malware?

Whew now I know it is not my system but I still wonder why those two trigger PG.

Scans at VirusTotal show nothing and neither does DCS's JPG scanner.

This makes me wonder if PG is using some sort of tag on files, otherwise how would PG know the difference?
Still hoping more users try it also. I also wonder if SSM triggers on those two as well or it just a PG thing?


controler

Osaban

Are you using BoClean as well? PG and BoClean are the only two security apps I have on this system.

controler

No I'm not, why are you asking?

Just wondering if that had something to do with it.

I have 3.15 with the same settings. I just tried this with the Melanie pic and PG doesn't peep. I would think this is some bug in 3.4. I tried enough versions of 3.4 to know to stay well away from it until it more stable and finalized.

Mele

Did you try click on the JPG twice?

I still and repeat wonder how PG tags the files. How does it know one JPG from another?


controler

When you did your tests, did you actually allow for the driver/service installation? This may be silly, but can a rootkit be installed by simply opening a photo?

It's a pity that nobody else is trying with SSM.

I did not allow the install. I have not heard of a kit being installed via photo but I think it would be as possiable as the nasties using them before.
I even thought maybe size of photo was causing PG to alert but I tried adjusting the same photo size and it still alerts.

I've tried both photos and neither one popped up a warning from ProcessGuard (using v3.405). On default I have JPG associated to another program (XnView), but I used both Preview and Open With... to open it with Windows Picture and Fax Viewer. Explorer is only allowed to read protected processes and install global hooks and I have all protections enabled. On whether or not malware can be put into an image, yes it can. There's an older exploit for JPEG rendering in Windows where a maliciously crafted image could execute code after causing an overflow in the GDI function. Recently, AOL ART support has been patched due to a similar issue and earlier this year, so has the WMF renderer. WMF isn't a typical image format and program execution is part of the format's standards created by Microsoft, IIRC.

Strider

It is not a GDI exploit on this system. Fully patched XP Pro.

I must stress it doesn't always happen on first open. It happens on my system after first open and then clicking magnify every time. Sometimes it happens on first open.
I guess I will have to install PG on my laptop and try it there. There is no ryme or reason PG can alert on a couple JPGs and not others but then I can not get any responce from developers at all.

I just downloaded both pics again so I could make sure I doubleclicked, use zoom, etc. I don't get any peep out of PG 3.15. I doubleclicked, I zoomed, I doubleclicked again. I used right click and chose open in Windows Fax and Picture Viewer, chose "Preview". Nothing causes PG to alert. I have Explorer authorized to read, modify and install global hooks and nothing else.

Controller, I wasn't saying that it was. I was just answering Osaban's question about pictures being used as a vector of attack for malware. I had viewed them more than once as your posted intially stated and retried it just now also using zoom in and out still without any problems. I really don't know why it would cause you any problems, especially on a fully patched system.

No noise out of SSM

-{ Quote: "Controller, I wasn't saying that it was. I was just answering Osaban's question about pictures being used as a vector of attack for malware. I had viewed them more than once as your posted intially stated and retried it just now also using zoom in and out still without any problems. I really don't know why it would cause you any problems, especially on a fully patched system." }-

My system behaves exactly like controler's (same pics and same behaviour), it is a fully patched XP home and I agree at this stage only Diamonds might be able to shed some light on this question.

I've just tried the same experiment using IE instead of Opera (my default browser) and trying other websites as well, same results, for some reasons only those two pics (Melanie and Nate) seem to interact with PG.

I've just finished working on some of my photos (.JPGs) taken with a digital camera cropped, and resized with photoshop. When they are opened with Windows picture and fax viewer, it triggers the same PG alert. It doesn't happen with all of the photos in the folder but only to the ones that were resized. This seems consistent with Controlers results.

Mele20, maybe you are right it is some kind of bug of version 3.405

I don't see how it's a bug with ProcessGuard as I have the same version as you (v3.405) and a fully patched XP Home with none of those issues. I'm not sure why my system doesn't do this and both of your's does. I've used nLite and XPLite on my system, but I'm pretty sure I didn't modify anything relating graphics (except for removing AOL ART support). I've also done some tweaks on my system, such as disabling thumbnail caching (thumbs.db creation), but that's all I've "tweaked" in regards to images AFAIK.

Just installed my second LIC of PG on my laptop. XP home fully patched.

Same results.

Strider? are you clicking on the on the air tab, right clicking on Melanie's Pic and saveing as? to desktop?
Are you running BoClean? Not that it makes a difference but I could uninstall it and see what happens.

I would like to see many more users try this with the new version of PG.

controler

Last chance DCS

Either reply or you are history

You had more then enough time to repley???


con

-{ Quote: "I don't see how it's a bug with ProcessGuard as I have the same version as you (v3.405) and a fully patched XP Home with none of those issues. I'm not sure why my system doesn't do this and both of your's does. " }-

I said 'may be it is some kind of bug' nobody except Diamonds can really explain what's going on. One thing for sure, it is not malware of any kind as it's done it with my own pictures.
For the record I have: NOD32 - PG 3.405 - LnS -RegDefend - Ad Muncher - always running.

DS does not give a crap
too bad because now I am dumping PG
They had more then enough time to respond.

con

Could this http://www.dslreports.com/forum/remark,16596555 maybe be why DiamondCS doesn't seem responsive? How is PG going to be able to run on Vista? (I'm staying with XP even though I have a plenty powerful enough machine for Vista so I don't care. XP is likely my last MS OS I think but if PG won't run on Vista ...well, that might explain what has been happening here). PG already can't run on XP Pro 64 bit and DCS has said they have no plans to make that possible and now Vista.....

Hi,

We're busy developing, but we assist where we can. I'm sorry I didn't see this thread earlier, but a simple email to support with the log would have got a lot more attention. Noone has posted WHAT tries to install a driver, it depends on associations too ? sure sounds like it.. and settings such as thumbnails, I've changed a lot of those settings myself.

As for this sort of thing in general, the file itself is not malicious, nor is the program opening it and you could allow the program to install the driver.

As for VISTA, that protection may be broken yet, it's early days. I agree with the theory of securing the OS stronger in the first place, and for drivers developers only need to get their code signed.

MALWARE has caused a real mess over the last few years, imagine if ADMIN wasn't the default user on Windows 2000, XP ? many of the major attacks of the last 5 years would never have happened. If implemented properly, the OS will be able to secure itself against the casual attackers, even more skilled ones.

PG is suited to Windows 2000 and XP, and for malware attacks that have been occurring for years. When there is an area that needs protecting, it may fit there in VISTA. Surely there are going to be things PG can do in Vista. Big or small, who knows for sure yet.. Vista isn't even finished!

Hi controler,

Just to pour a bit more fuel on the fire...

When I tested it quickly the other day, PG was silent. Tonight, on a hunch, I started the Print Spooler service first (which I have normally set to manual), double-clicked the .jpg, and PG alerted:

22:15:48 [EXECUTION] "c:\windows\system32\spoolsv.exe" was allowed to run
[EXECUTION] Started by "c:\windows\system32\services.exe" [724]
[EXECUTION] Commandline - [ c:\windows\system32\spoolsv.exe ]
22:15:52 [DRIVER/SERVICE] c:\windows\explorer.exe [1612] Tried to install a driver/service named

I generated a related alert for rundll32.exe by selecting Open With > Microsoft Picture and Fax Viewer from the .jpg's context menu:

22:16:07 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [1612]
[EXECUTION] Commandline - [ "rundll32.exe" c:\windows\system32\shimgvw.dll,imageview_fullscreen c:\documents and settings\nick\desktop\melanie1.jpg ]
22:16:09 [DRIVER/SERVICE] c:\windows\system32\rundll32.exe [1996] Tried to install a driver/service named

Anyway, when I stop the Print Spooler service, then no alerts. Notice that PG does not name the service. Using Regmon, I saw no new services written to the registry (after setting PG to "Allow"). PG, BTW, alerted the same way with and without the latest BOClean installed.

Nick

Thank you Gavin for showing up. You could be right about thumb nails but
I just verified what nick posted. If you have the spooler running PG alerts.
What I still don't understand is why it was only those two pics not regular ones on my HD. I thought I asked how PG tags files to know the difference?
hum maybe I didn't.

Mele? I think you are right on with Vista. They can take their DRM and put it you know where LOL
However, I am anadvocate for making people sign their software but I say it has to be reputable sources agreed upon by big buisness.;D

controler

If it's the Print Spooler service, then that explains why I didn't receive the error. I personally have that service deleted/uninstalled from my computer. IMO, it's strange that it try to (re)install itself from the explorer.exe (that's my guess on what's happening anyways). I know different programs do this, such as Unlocker v1.8.3 and User Profile Hive Cleanup. It may not even exactly be that, but related in a way to installing a driver/service. Again, this is just my guess as I'm not totally sure on what's happening here.

Strider

Not sure what you mean by reinstall itself. The service was always running
in taskmanager or are you saying the service was trying to install a driver?
I am confused about it myself and the fact it doesn't happen on all JPGs.
maybe I am owned? LOL

Why don't you just go back to 3.15? I have the Print Spooler service running all the time and I didn't get any error when I did those tests. But I went back to 3.15 some time ago.

Mele

I would go back but I think the self protection featres are better in the new version. I just expected more help frm DCS as I am now seeing every one did.

No need to send logs since it is explained here in detail.


controler

What I mean is that some services install them selves as a driver/service again for some reason. For example, the User Hive Profile Cleanup service needs the install driver/service priviledge as it does this whenever it runs. For some reason, services sometimes double as drivers (usually/always in the Non-Plug and Play section). Really strange is that it pops up with v3.405 and not v3.150 unless there's some other thing causing this.

I guess it is a good thing I am still using 3.15 since I use User Hive Profile Cleanup and you saying that if I was using 3.405 that it would be reinstalling itself via Explorer everytime it runs and I would get a PG alert because of this?

I also use the hive cleanup along with shared toolkit which is off at the time.
PG logs a bunch of find.exe and cmd.exe on boot but doesn't alert on that stuff.

No, that's not what I mean. UHPC needs to have driver/service priviledges by itself. It doesn't try to install through Explorer. It's just that it will complain if it doesn't have driver/service installation priviledge. At least, that's how it is for me since v3.15.

Brand new install on XP Home on a Dell of 3.410

Same results on the pictures. I did notice while updating windows, there was a print spooler update. Should have tried it with out and with that update to see a difference.
This clean install only hase PG & Boclean on so far.
Those of you that have spoolv.exe disabled don't count. The problem happens with that running.



controler