JPG

Saving a friends JPG file to desktop.

Then I open it and PG says file is trying to install a service or driver.

Will I get an answer to this one?

Con

 

After rebooting and clicking on the JPG, PG obly kicks up an alert on second opening of the JPG not the first.

The warning isn't the file itself but rather it says explorer.exe is trying to install a service or driver when opening the JPG. Properties of the file is set to use Microsoft picture and fax viewer just like my other JPG's

I don't understand why I only get the alert on the one JPG and not any others.

I could try renaming it and see what happens. I think I may have submitted it over on virustotal with nothing found.

 

After further investigation, I find only JPG's saved from the internet are giving warning, not ones saved from a scan or taken off a disk.

 

Even though PG is a good program I must give them a 2 out of 5 for support.

Why a 2? I think that is a good number since they know me and still do not respond.

Mr Controler means not too much in their minds.

I won't ask anymore questions.

<snip>

edited to remove off-topic remark - Detox

 

If anyone is using PG 3.405 could you please go to this site

http://www.kkln.com

download one of the pictures. They all seem to have the funny fram around them, then open it with Windows Picture and Fax viewer?
On my system opening it the first time doesn't set off PG but the second time does or after pic is open, just clicking the zoom button sets off PG. The alert is explorer.exe tried to install service/driver.

I have execution ticked and also all 4 global protection setting ticked.

I just tried the pic on front page and PG does nothing on that one. I have to click on the tab that reads On the Loon and pick either Nate or Melanie, right click and save as to desktop or my pictures.

Thank you

controler

 

Followed your instructions, with PG 3.405 and no reaction whatsoever.

 

Thanks

Did you select Melanie or Nate?

I can download any other pictures anywhere and open scanned JPG's and nothing happens. I just think it is very wierd is all.

controler

 

Well, on my first try I selected Melanie and Nate together, saving the picture to my desktop and opening it wouldn't trigger PG's reaction (same settings as yours).

But then you're right If I select Melanie or Nate on their own, as soon as I open them it triggers PG's alert about a driver installation from Explorer. Is it malware?

 

Whew now I know it is not my system but I still wonder why those two trigger PG.

Scans at VirusTotal show nothing and neither does DCS's JPG scanner.

This makes me wonder if PG is using some sort of tag on files, otherwise how would PG know the difference?
Still hoping more users try it also. I also wonder if SSM triggers on those two as well or it just a PG thing?


controler

 

Osaban

Are you using BoClean as well? PG and BoClean are the only two security apps I have on this system.

controler

 

No I'm not, why are you asking?

 

Just wondering if that had something to do with it.

 

I have 3.15 with the same settings. I just tried this with the Melanie pic and PG doesn't peep. I would think this is some bug in 3.4. I tried enough versions of 3.4 to know to stay well away from it until it more stable and finalized.

 

Mele

Did you try click on the JPG twice?

I still and repeat wonder how PG tags the files. How does it know one JPG from another?


controler

 

When you did your tests, did you actually allow for the driver/service installation? This may be silly, but can a rootkit be installed by simply opening a photo?

It's a pity that nobody else is trying with SSM.

 

I did not allow the install. I have not heard of a kit being installed via photo but I think it would be as possiable as the nasties using them before.
I even thought maybe size of photo was causing PG to alert but I tried adjusting the same photo size and it still alerts.

 

I've tried both photos and neither one popped up a warning from ProcessGuard (using v3.405). On default I have JPG associated to another program (XnView), but I used both Preview and Open With... to open it with Windows Picture and Fax Viewer. Explorer is only allowed to read protected processes and install global hooks and I have all protections enabled. On whether or not malware can be put into an image, yes it can. There's an older exploit for JPEG rendering in Windows where a maliciously crafted image could execute code after causing an overflow in the GDI function. Recently, AOL ART support has been patched due to a similar issue and earlier this year, so has the WMF renderer. WMF isn't a typical image format and program execution is part of the format's standards created by Microsoft, IIRC.

 

Strider

It is not a GDI exploit on this system. Fully patched XP Pro.

I must stress it doesn't always happen on first open. It happens on my system after first open and then clicking magnify every time. Sometimes it happens on first open.
I guess I will have to install PG on my laptop and try it there. There is no ryme or reason PG can alert on a couple JPGs and not others but then I can not get any responce from developers at all.

 

I just downloaded both pics again so I could make sure I doubleclicked, use zoom, etc. I don't get any peep out of PG 3.15. I doubleclicked, I zoomed, I doubleclicked again. I used right click and chose open in Windows Fax and Picture Viewer, chose "Preview". Nothing causes PG to alert. I have Explorer authorized to read, modify and install global hooks and nothing else.

 

Controller, I wasn't saying that it was. I was just answering Osaban's question about pictures being used as a vector of attack for malware. I had viewed them more than once as your posted intially stated and retried it just now also using zoom in and out still without any problems. I really don't know why it would cause you any problems, especially on a fully patched system.

 

No noise out of SSM

 

My system behaves exactly like controler's (same pics and same behaviour), it is a fully patched XP home and I agree at this stage only Diamonds might be able to shed some light on this question.

I've just tried the same experiment using IE instead of Opera (my default browser) and trying other websites as well, same results, for some reasons only those two pics (Melanie and Nate) seem to interact with PG.

 

I've just finished working on some of my photos (.JPGs) taken with a digital camera cropped, and resized with photoshop. When they are opened with Windows picture and fax viewer, it triggers the same PG alert. It doesn't happen with all of the photos in the folder but only to the ones that were resized. This seems consistent with Controlers results.

Mele20, maybe you are right it is some kind of bug of version 3.405

 

I don't see how it's a bug with ProcessGuard as I have the same version as you (v3.405) and a fully patched XP Home with none of those issues. I'm not sure why my system doesn't do this and both of your's does. I've used nLite and XPLite on my system, but I'm pretty sure I didn't modify anything relating graphics (except for removing AOL ART support). I've also done some tweaks on my system, such as disabling thumbnail caching (thumbs.db creation), but that's all I've "tweaked" in regards to images AFAIK.

 

Just installed my second LIC of PG on my laptop. XP home fully patched.

Same results.

Strider? are you clicking on the on the air tab, right clicking on Melanie's Pic and saveing as? to desktop?
Are you running BoClean? Not that it makes a difference but I could uninstall it and see what happens.

I would like to see many more users try this with the new version of PG.

controler