jimmyjames

scan jpg's, pdf's, etc... or not?

Recommended Posts

Hi,

I have a lot of jpg's and am wondering if it's safe to make an exclusion not to scan them?
What things do the experts here exclude from scanning, if any?

 

Is it possible in Emsisoft to excluse entire folders (such as Photos) which could be just scanned once then not scanned again?
Or for example I have a folder full of wordpress apps and etc which are zip folders - no need to scan those every time... as they are many and must take a long time to scan...
Thanks.

p.s. If there is a page about this somewhere and you know of it feel free to link to it, assuming that's not against TOS.

Share this post


Link to post
Share on other sites

The disadvantages of excluding some file types from scans, is that the file types set on your files might not actually accurately describe what's in the file.  

 

Also, you might presume that - say - a JPG could never be malicious.  But that's not the case.  If for example there's a vulnerability in one of the programs you use to display or manipulate JPGs, it might be possible (as Microsoft would describe it in one of their security updates) for a "specially crafted" JPG to take advantage of the error in the viewing/manipulating program and cause an unexpected or malicious side-effect.   In the last year or so, fonts, PDF files and 'media files' have all had that problem.

 

You might find it sensible to do regular/frequent scans with faster options, excluding some file types, but also every so often do a more thorough scan that looks at every file.    

  • Upvote 1

Share this post


Link to post
Share on other sites

I have a lot of jpg's and am wondering if it's safe to make an exclusion not to scan them?

What things do the experts here exclude from scanning, if any?

That's a difficult one, as security vulnerabilities that allow malicious code in images have happened in the past. I don't recall them being extremely common though, so it might be safe to do it.

 

Is it possible in Emsisoft to excluse entire folders (such as Photos) which could be just scanned once then not scanned again?

Or for example I have a folder full of wordpress apps and etc which are zip folders - no need to scan those every time... as they are many and must take a long time to scan...

Yes, here's a screenshot with an example that shows exclusions of folders and all files in them from both scanning and monitoring:

 

EAM_v12_Exclusions_Example.png

The asterisk (*) you see in the example is only necessary when excluding things from the real-time protection, so if you just wanted to exclude a folder from scanning then it would look like this:

C:\Users\<username>\Pictures\

The Add folder button will be enough to get you the folder exclusion you are looking for without needing to worry about editing anything by hand, but if you do want to get a bit more advanced then you can edit the exclusion (just click on an exclusion in the list to edit it) after adding it to add something like *.jpg to make sure that only JPG images are excluded, to minimize the security risk. You could even add more exclusions for the folder, and edit them to add extensions for other common picture formats, like the following:

C:\Users\<username>\Pictures\*.jpg
C:\Users\<username>\Pictures\*.png
C:\Users\<username>\Pictures\*.bmp
C:\Users\<username>\Pictures\*.gif

That way, if somehow a malicious executable ends up in that folder, it won't be excluded from scanning along with the pictures. ;)
  • Upvote 1

Share this post


Link to post
Share on other sites

"...researchers have discovered that the ongoing spam campaign is also using boobytrapped .JPG image files in order to download and infect users with the Locky Ransomware via Facebook, LinkedIn, and other social networking platforms..."

 

http://thehackernews.com/2016/11/facebook-locky-ransomware.html

 

Likely EMIS's excellent Behavior Blocker would catch such when it activated to do it's dirty work, but shows the wisdom in scanning pics of all formats, particulalrly if any came from a source other than your camera.

 

The current episode is likely just the beginning of exploitation of this new attack vector.

 

NB: Gratifying to see that Mr. Wilkinson is a fellow gamer, assuming sceen shot is from his PC  :-)

 

HAWKI,

 

Citizen of Republic of Gamers

Share this post


Link to post
Share on other sites

The current episode is likely just the beginning of exploitation of this new attack vector.

The idea of exploiting pictures and other media files to infect computers and other devices has been around for a while (examples include this cute little vulnerability report and poem written about 14 years ago), although I guarantee you that we haven't seen the last of such security issues. Stagefright 2.0 is a great example of how such issues are still cropping up, and still being exploited.

NB: Gratifying to see that Mr. Wilkinson is a fellow gamer, assuming sceen shot is from his PC  :-)

Yes, the screenshot was from my PC. ;)

Share this post


Link to post
Share on other sites
On 12/8/2016 at 7:22 AM, GT500 said:

That's a difficult one, as security vulnerabilities that allow malicious code in images have happened in the past. I don't recall them being extremely common though, so it might be safe to do it.

 

Yes, here's a screenshot with an example that shows exclusions of folders and all files in them from both scanning and monitoring:

 

 

EAM_v12_Exclusions_Example.png

 

 

The asterisk (*) you see in the example is only necessary when excluding things from the real-time protection, so if you just wanted to exclude a folder from scanning then it would look like this:

 

C:\Users\<username>\Pictures\

 

The Add folder button will be enough to get you the folder exclusion you are looking for without needing to worry about editing anything by hand, but if you do want to get a bit more advanced then you can edit the exclusion (just click on an exclusion in the list to edit it) after adding it to add something like *.jpg to make sure that only JPG images are excluded, to minimize the security risk. You could even add more exclusions for the folder, and edit them to add extensions for other common picture formats, like the following:

 

C:\Users\<username>\Pictures\*.jpg
C:\Users\<username>\Pictures\*.png
C:\Users\<username>\Pictures\*.bmp
C:\Users\<username>\Pictures\*.gif

 

That way, if somehow a malicious executable ends up in that folder, it won't be excluded from scanning along with the pictures. ;)

So I assume what you have done is add each of the programs you have already scanned to the exclusion list?
With jpg's as an example wouldn't it be possible to exclude all already-scanned photos?
If not, perhaps I would add all jpg's to a "NEW" folder then, once scanned, move them to the regular excluded folder?

Just trying to figure out the best way(s) to reduce scanning time and power, without sacrificing safety. ;-D

So do I understand correctly that by adding an asterisk like *.jpg there will never be any real time scanning of jpgs when I download them? Given that a post above says jpgs can be malicious, is it wise to remove them from real time protection? I'm just learning about this so I am asking this because I really do not know the answer, not to be snarky. ;-D

 

Share this post


Link to post
Share on other sites
On ‎08‎/‎12‎/‎2016 at 1:22 PM, GT500 said:

The asterisk (*) you see in the example is only necessary when excluding things from the real-time protection, so if you just wanted to exclude a folder from scanning then it would look like this:

 

C:\Users\<username>\Pictures\

 

So, what does the asterisk present in entries in the first list do?  

Is there any way of distinguishing between 'all the files in a folder' and 'everything in the folder and its sub-folders'? 

Share this post


Link to post
Share on other sites
On 12/11/2016 at 7:22 PM, jimmyjames said:

So I assume what you have done is add each of the programs you have already scanned to the exclusion list?

I added programs I believe I can trust to the exclusions. I don't expect malicious files to ever be in the excluded folders, so I don't mind EAM completely ignoring them.

 

On 12/11/2016 at 7:22 PM, jimmyjames said:

With jpg's as an example wouldn't it be possible to exclude all already-scanned photos?

Only if you modified the names, or (as you suggest) move them to a new folder to separate them from files that have not been scanned.

 

On 12/11/2016 at 7:22 PM, jimmyjames said:

So do I understand correctly that by adding an asterisk like *.jpg there will never be any real time scanning of jpgs when I download them?

If *.jpg is all you add as your exclusions, then yes you are correct. If you add a path to a folder before the *.jpg (something like C:\example\folder\*.jpg for instance) then it will only exclude the files in that folder.

 

On 12/11/2016 at 7:22 PM, jimmyjames said:

Given that a post above says jpgs can be malicious, is it wise to remove them from real time protection?

It depends on where the pictures come from. If you save pictures from the Internet, then I would say it isn't safe to exclude them from real-time protection. If you only save pictures from your camera, then you should be OK.

 

On 12/12/2016 at 3:04 AM, JeremyNicoll said:

So, what does the asterisk present in entries in the first list do?

More than likely nothing, but if the exclusions in both lists are exactly the same then it makes the "a2whitelist.ini" file smaller. You see, if I add just folder exclusions to the first list (Exclude from scanning), and then add the exclusions with the second list (Exclude from monitoring) as folder exclusions with an asterisk to ensure no hooks are opened to processes running out of those folders, then EIS will create two entries for every folder since the path entered isn't exactly the same (the asterisk changes the path). If the paths are exactly the same in both lists (including the asterisk), then EIS uses the same entry for both lists in the "a2whitelist.ini" file, and just alters one of the parameters for the entry to define that it is used for both types of exclusions.

I actually abused this to automatically populate the top list after adding all of the exclusions to the bottom list. After adding the exclusions to one list, I exported them, edited the parameters with Notepad++ to tell EAM that each entry applied to both type of exclusion, and then I imported the edited "a2whitelist.ini" file to overwrite my exclusions and it populated the second list automatically so that I didn't have to manually add my exclusions to it. And this is the actual reason why both lists have the asterisk at the end of all of the paths in my screenshot, even though the top list shouldn't need it. ;)

Obviously it is possible for us to change the format we save exclusions in at any time, so that little trick may not always work.

 

On 12/12/2016 at 3:04 AM, JeremyNicoll said:

Is there any way of distinguishing between 'all the files in a folder' and 'everything in the folder and its sub-folders'?

To my knowledge, there is currently no way to do so.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.