I’m giving a try with Avast, to see if i can recommand it to my friends.
Yes, since this is a very common file type, i think that JP* extension should be added to default extension that should be scanned.
and since i suppose the heuristics needed to find the potential JPG exploit, is only to scan the header (not JPG-size dependant), it is low overhead and should be considered enabled by default.
ok for the on-the-fly scanner, i have already saw these two options.
for the on-the-fly scanner (Standard Shield), what strategies are used when set to high ?
i suppose it scans only the files that have a known way to transport malicious code ?
ie read: all files = all files that are scannable (since scanning a unknown file type is nonsense)
–
this only because i would like to tell “just install avast and use defaults settings, everything is ok by default”.
–
otherwise what would be cool, is to have a .ini or .xml that would be used by the avast installer to take settings from, so one could distribute/give an “install & forget” antivirus to uneducated friends (from an IT point of view) .
The standard scan of the ‘if you select scan files of a selected type only’ generally are for those file with a known potential. avast is able to detect the current jpg exploit.
The all files, I too would assume would be known file types, however, I’m not sure how supposed unknown types are dealt with (perhaps a simple text scan?). If the file is an unknown type, then there would have to be more than one file downloaded in order for that unknown file type to be executed (an executable file to run the unknown file type as windows couldn’t run it).
at file open, doesn’t scan JPGs until JPG/JP* is added to “open/read” extension list WHATEVER the level of security
JPGs are only scanned at CREATION with high level of security (for the standard shield).
so, if JPG/JP* is not added manually for “open/read”, avast will never scan it on-the-fly. (only at creation)
i am performing a personnal review of multiples anti-virus to know what recommand, so i have a very tiny set of malicious files, et for example I simply tested avast against the FotoZ proof of concept.
since this could be very easyly corrected by a definition update (just add JP* to default extension set), i permit myself to hammer on the forum.
Especially on the fact that JPG are never scanned on-the-fly for “open/read” whatever security level, until JPG/JP* is added manually. note on this one i focused on the standard shield for files on physical drives, haven’t tested avast strategies concerning email/web…
to be sure that the “scanned-files cache” (which holds the list of the lasts scanned files to eliminate unneeded scans) doesn’t false the methodology, i have stopped/restarted the standard shield and everthing multiple times to be sure that this cache is flushed.
I don’t know if this post will be helpful as it concern more to archive files than to jpg.
Anyway, the user must take into consideration that the Home version on-access scanning allows only binaries (text scanning) for archive (maybe for jpg too). In the Professional version, archive on-access scanning is really on-the-fly.