Blocked internet jpg files

Discussion in 'ESET Smart Security' started by xxJackxx, Mar 18, 2012.

Thread Status:
Not open for further replies.
  1. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    I have noticed that when I browse a site, we'll use Bing for an example, that when doing an image search sometimes a .jpg file is blocked. Is this because ESS thinks there is an issue with that actual ,jpg file, or because the domain it is coming from is blacklisted for some other malicious files?
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I suspect that Bing thumbnails actually originate from Bing servers. I just did an image search to test and indeed they do. So I don't think it's a domain blacklist issue unless Bing image hosting servers got on the list.

    Actually I'm assuming you were even talking about the thumbnails in the first place? =P
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please post here a screen shot of the alert you're getting.
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    This is from the Bing homepage today (3-18-2012). I clicked on the first hotspot.

    The red arrow points to where the missing thumbnail would have loaded.
     

    Attached Files:

    • Bing.jpg
      Bing.jpg
      File size:
      193.8 KB
      Views:
      225
    • ESS.jpg
      ESS.jpg
      File size:
      27 KB
      Views:
      228
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's beinsure.co.cc that is blocked.
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    So to clarify you are saying that the entire domain is blocked, and not specifically that ,jpg file, correct?
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    But the thumbnail originates from ts3.mm.bing.net as can be seen in the screenshot. Seems like NOD32 is scanning the entire URL instead of just the originating domain, somewhat flawed?
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Right, the whole domain is blocked.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Quite the contrary. Not scanning the whole domain would pose a security risk and might lead to computer infection in case there's a new unrecognized threat at the malicious url that is blocked.
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    From what, a thumbnail? As far as I'm aware there is no threat unless the image is clicked on, at which point you'd be forwarded to the site, at which point NOD32 can prevent the site from loading anyway.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    No, links are scanned the same way regardless if they point to an image, website, executable, etc. (in the end, it's not possible to figure this out until the target file is downloaded). If there's a blocked url within another url, the whole url will be blocked. If you want to access that site anyways, you can add beinsure.co.cc to the list of addresses excluded from content filtering (not sure if there's no malicious file hosted on the domain though).
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    If I understand you correctly you're saying this feature is in place in the case that a "good" domain forwards to a malicious link. But when this happens a second request needs to be made to the malicious domain anyway to download the file, at which point NOD32 can block that second request. Am I wrong?

    I *think* the real reason for this feature is to protect against malicious files through a proxy site? But Bing images isn't a proxy and as so should be added to a whitelist. I've encountered similar issues with other services such as Norton safe web, and the solution is always to add the originating domain (that isn't a proxy) to a whitelist.
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    From my understanding and if I am explaining it correctly, these thumbnails are kind of like an iFrame. The page is hosted by Bing but the contents of the thumbnail boxes come from the sites they are hosted on. If one of those sites has any malicious files, the entire domain is blocked by ESS, therefore it cannot be contacted to link to the graphic. I don't believe Bing is being blocked in any way, it is the 3rd party site, which causes the graphic to not show. Hopefully that is somewhat correct and I am not just adding to the confusion. :D
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I just double-checked, all thumbnails are hosted by Bing, they are simply named after their location which gives the illusion that it is originating from a different site.

    bing.png
     
  15. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    I would have been tempted to disagree but I did a test. I opened up a virtual machine with no AV installed and went to yesterday's Bing page. All thumbnails showing. I edited the HOSTS file and blocked beinsure.co.cc and tested again (I flushed the DNS cache to make sure). The thumbnail still shows, but clicking on it brings up a "page not found" so it looks like you are right. :ouch:
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Well at least you confirmed it. :) It's up to ESET to add ts1-4.mm.bing.net to the whitelist. Though I still think it's silly not to restrict the check to the originating domain on the off chance that someone will use a proxy that displays the domain name in the address field (usually obfuscated).
     
Thread Status:
Not open for further replies.