JPG

Discussion in 'ProcessGuard' started by controler, Jul 23, 2006.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    Saving a friends JPG file to desktop.

    Then I open it and PG says file is trying to install a service or driver.

    Will I get an answer to this one?

    Con
     
  2. controler

    controler Guest

    After rebooting and clicking on the JPG, PG obly kicks up an alert on second opening of the JPG not the first.

    The warning isn't the file itself but rather it says explorer.exe is trying to install a service or driver when opening the JPG. Properties of the file is set to use Microsoft picture and fax viewer just like my other JPG's

    I don't understand why I only get the alert on the one JPG and not any others.

    I could try renaming it and see what happens. I think I may have submitted it over on virustotal with nothing found.
     
  3. controler

    controler Guest

    After further investigation, I find only JPG's saved from the internet are giving warning, not ones saved from a scan or taken off a disk.
     
  4. controler

    controler Guest

    Even though PG is a good program I must give them a 2 out of 5 for support.

    Why a 2? I think that is a good number since they know me and still do not respond.

    Mr Controler means not too much in their minds.

    I won't ask anymore questions.

    <snip>

    edited to remove off-topic remark - Detox
     
    Last edited by a moderator: Aug 1, 2006
  5. controler

    controler Guest

    If anyone is using PG 3.405 could you please go to this site

    http://www.kkln.com

    download one of the pictures. They all seem to have the funny fram around them, then open it with Windows Picture and Fax viewer?
    On my system opening it the first time doesn't set off PG but the second time does or after pic is open, just clicking the zoom button sets off PG. The alert is explorer.exe tried to install service/driver.

    I have execution ticked and also all 4 global protection setting ticked.

    I just tried the pic on front page and PG does nothing on that one. I have to click on the tab that reads On the Loon and pick either Nate or Melanie, right click and save as to desktop or my pictures.

    Thank you

    controler
     
  6. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Followed your instructions, with PG 3.405 and no reaction whatsoever.
     
  7. controler

    controler Guest

    Thanks

    Did you select Melanie or Nate?

    I can download any other pictures anywhere and open scanned JPG's and nothing happens. I just think it is very wierd is all.

    controler
     
  8. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Well, on my first try I selected Melanie and Nate together, saving the picture to my desktop and opening it wouldn't trigger PG's reaction (same settings as yours).

    But then you're right If I select Melanie or Nate on their own, as soon as I open them it triggers PG's alert about a driver installation from Explorer. Is it malware?
     
  9. controler

    controler Guest

    Whew now I know it is not my system but I still wonder why those two trigger PG.

    Scans at VirusTotal show nothing and neither does DCS's JPG scanner.

    This makes me wonder if PG is using some sort of tag on files, otherwise how would PG know the difference?
    Still hoping more users try it also. I also wonder if SSM triggers on those two as well or it just a PG thing?


    controler
     
  10. controler

    controler Guest

    Osaban

    Are you using BoClean as well? PG and BoClean are the only two security apps I have on this system.

    controler
     
  11. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    No I'm not, why are you asking?
     
  12. controler

    controler Guest

    Just wondering if that had something to do with it.
     
  13. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I have 3.15 with the same settings. I just tried this with the Melanie pic and PG doesn't peep. I would think this is some bug in 3.4. I tried enough versions of 3.4 to know to stay well away from it until it more stable and finalized.
     
  14. controler

    controler Guest

    Mele

    Did you try click on the JPG twice?

    I still and repeat wonder how PG tags the files. How does it know one JPG from another?


    controler
     
  15. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    When you did your tests, did you actually allow for the driver/service installation? This may be silly, but can a rootkit be installed by simply opening a photo?

    It's a pity that nobody else is trying with SSM.
     
  16. controler

    controler Guest

    I did not allow the install. I have not heard of a kit being installed via photo but I think it would be as possiable as the nasties using them before.
    I even thought maybe size of photo was causing PG to alert but I tried adjusting the same photo size and it still alerts.
     
  17. StriderSkorpion

    StriderSkorpion Registered Member

    Joined:
    Feb 24, 2006
    Posts:
    54
    I've tried both photos and neither one popped up a warning from ProcessGuard (using v3.405). On default I have JPG associated to another program (XnView), but I used both Preview and Open With... to open it with Windows Picture and Fax Viewer. Explorer is only allowed to read protected processes and install global hooks and I have all protections enabled. On whether or not malware can be put into an image, yes it can. There's an older exploit for JPEG rendering in Windows where a maliciously crafted image could execute code after causing an overflow in the GDI function. Recently, AOL ART support has been patched due to a similar issue and earlier this year, so has the WMF renderer. WMF isn't a typical image format and program execution is part of the format's standards created by Microsoft, IIRC.
     
  18. controler

    controler Guest

    Strider

    It is not a GDI exploit on this system. Fully patched XP Pro.

    I must stress it doesn't always happen on first open. It happens on my system after first open and then clicking magnify every time. Sometimes it happens on first open.
    I guess I will have to install PG on my laptop and try it there. There is no ryme or reason PG can alert on a couple JPGs and not others but then I can not get any responce from developers at all.
     
  19. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I just downloaded both pics again so I could make sure I doubleclicked, use zoom, etc. I don't get any peep out of PG 3.15. I doubleclicked, I zoomed, I doubleclicked again. I used right click and chose open in Windows Fax and Picture Viewer, chose "Preview". Nothing causes PG to alert. I have Explorer authorized to read, modify and install global hooks and nothing else.
     
  20. StriderSkorpion

    StriderSkorpion Registered Member

    Joined:
    Feb 24, 2006
    Posts:
    54
    Controller, I wasn't saying that it was. I was just answering Osaban's question about pictures being used as a vector of attack for malware. I had viewed them more than once as your posted intially stated and retried it just now also using zoom in and out still without any problems. I really don't know why it would cause you any problems, especially on a fully patched system.
     
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    No noise out of SSM
     
  22. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    My system behaves exactly like controler's (same pics and same behaviour), it is a fully patched XP home and I agree at this stage only Diamonds might be able to shed some light on this question.

    I've just tried the same experiment using IE instead of Opera (my default browser) and trying other websites as well, same results, for some reasons only those two pics (Melanie and Nate) seem to interact with PG.
     
    Last edited: Aug 5, 2006
  23. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    I've just finished working on some of my photos (.JPGs) taken with a digital camera cropped, and resized with photoshop. When they are opened with Windows picture and fax viewer, it triggers the same PG alert. It doesn't happen with all of the photos in the folder but only to the ones that were resized. This seems consistent with Controlers results.

    Mele20, maybe you are right it is some kind of bug of version 3.405
     
  24. StriderSkorpion

    StriderSkorpion Registered Member

    Joined:
    Feb 24, 2006
    Posts:
    54
    I don't see how it's a bug with ProcessGuard as I have the same version as you (v3.405) and a fully patched XP Home with none of those issues. I'm not sure why my system doesn't do this and both of your's does. I've used nLite and XPLite on my system, but I'm pretty sure I didn't modify anything relating graphics (except for removing AOL ART support). I've also done some tweaks on my system, such as disabling thumbnail caching (thumbs.db creation), but that's all I've "tweaked" in regards to images AFAIK.
     
  25. controler

    controler Guest

    Just installed my second LIC of PG on my laptop. XP home fully patched.

    Same results.

    Strider? are you clicking on the on the air tab, right clicking on Melanie's Pic and saveing as? to desktop?
    Are you running BoClean? Not that it makes a difference but I could uninstall it and see what happens.

    I would like to see many more users try this with the new version of PG.

    controler
     
Thread Status:
Not open for further replies.