Blocked internet jpg files

[xxJackxx]

I have noticed that when I browse a site, we'll use Bing for an example, that when doing an image search sometimes a .jpg file is blocked. Is this because ESS thinks there is an issue with that actual ,jpg file, or because the domain it is coming from is blacklisted for some other malicious files?

[funkydude]

I suspect that Bing thumbnails actually originate from Bing servers. I just did an image search to test and indeed they do. So I don't think it's a domain blacklist issue unless Bing image hosting servers got on the list.

Actually I'm assuming you were even talking about the thumbnails in the first place? =P

[Marcos]

Please post here a screen shot of the alert you're getting.

[xxJackxx]

This is from the Bing homepage today (3-18-2012). I clicked on the first hotspot.

The red arrow points to where the missing thumbnail would have loaded.

[Marcos]

It's beinsure.co.cc that is blocked.

[xxJackxx]

Quote:

Originally Posted by Marcos

It's beinsure.co.cc that is blocked.

So to clarify you are saying that the entire domain is blocked, and not specifically that ,jpg file, correct?

[funkydude]

Quote:

Originally Posted by Marcos

It's beinsure.co.cc that is blocked.

But the thumbnail originates from ts3.mm.bing.net as can be seen in the screenshot. Seems like NOD32 is scanning the entire URL instead of just the originating domain, somewhat flawed?

[Marcos]

Quote:

Originally Posted by xxJackxx

So to clarify you are saying that the entire domain is blocked, and not specifically that ,jpg file, correct?

Right, the whole domain is blocked.

[Marcos]

Quote:

Originally Posted by funkydude

Seems like NOD32 is scanning the entire URL instead of just the originating domain, somewhat flawed?

Quite the contrary. Not scanning the whole domain would pose a security risk and might lead to computer infection in case there's a new unrecognized threat at the malicious url that is blocked.

[funkydude]

Quote:

Originally Posted by Marcos

Quite the contrary. Not scanning the whole domain would pose a security risk and might lead to computer infection in case there's a new unrecognized threat at the malicious url that is blocked.

From what, a thumbnail? As far as I'm aware there is no threat unless the image is clicked on, at which point you'd be forwarded to the site, at which point NOD32 can prevent the site from loading anyway.

[Marcos]

Quote:

Originally Posted by funkydude

From what, a thumbnail? As far as I'm aware there is no threat unless the image is clicked on, at which point you'd be forwarded to the site, at which point NOD32 can prevent the site from loading anyway.

No, links are scanned the same way regardless if they point to an image, website, executable, etc. (in the end, it's not possible to figure this out until the target file is downloaded). If there's a blocked url within another url, the whole url will be blocked. If you want to access that site anyways, you can add beinsure.co.cc to the list of addresses excluded from content filtering (not sure if there's no malicious file hosted on the domain though).

[funkydude]

Quote:

Originally Posted by Marcos

No, links are scanned the same way regardless if they point to an image, website, executable, etc. (in the end, it's not possible to figure this out until the target file is downloaded). If there's a blocked url within another url, the whole url will be blocked. If you want to access that site anyways, you can add beinsure.co.cc to the list of addresses excluded from content filtering (not sure if there's no malicious file hosted on the domain though).

If I understand you correctly you're saying this feature is in place in the case that a "good" domain forwards to a malicious link. But when this happens a second request needs to be made to the malicious domain anyway to download the file, at which point NOD32 can block that second request. Am I wrong?

I *think* the real reason for this feature is to protect against malicious files through a proxy site? But Bing images isn't a proxy and as so should be added to a whitelist. I've encountered similar issues with other services such as Norton safe web, and the solution is always to add the originating domain (that isn't a proxy) to a whitelist.

[xxJackxx]

From my understanding and if I am explaining it correctly, these thumbnails are kind of like an iFrame. The page is hosted by Bing but the contents of the thumbnail boxes come from the sites they are hosted on. If one of those sites has any malicious files, the entire domain is blocked by ESS, therefore it cannot be contacted to link to the graphic. I don't believe Bing is being blocked in any way, it is the 3rd party site, which causes the graphic to not show. Hopefully that is somewhat correct and I am not just adding to the confusion.

[funkydude]

Quote:

Originally Posted by xxJackxx

The page is hosted by Bing but the contents of the thumbnail boxes come from the sites they are hosted on.

I just double-checked, all thumbnails are hosted by Bing, they are simply named after their location which gives the illusion that it is originating from a different site.

[xxJackxx]

Quote:

Originally Posted by funkydude

I just double-checked, all thumbnails are hosted by Bing, they are simply named after their location which gives the illusion that it is originating from a different site.

I would have been tempted to disagree but I did a test. I opened up a virtual machine with no AV installed and went to yesterday's Bing page. All thumbnails showing. I edited the HOSTS file and blocked beinsure.co.cc and tested again (I flushed the DNS cache to make sure). The thumbnail still shows, but clicking on it brings up a "page not found" so it looks like you are right.

[funkydude]

Well at least you confirmed it. It's up to ESET to add ts1-4.mm.bing.net to the whitelist. Though I still think it's silly not to restrict the check to the originating domain on the off chance that someone will use a proxy that displays the domain name in the address field (usually obfuscated).