I was just trying Avast on-demand against malware links to see if high heuristics sensitivity makes a difference in detection. I noticed that it didn’t detect a malware with .jpg.exe extension even with the most thorough settings. Is there a reason there is no detection rule for double extensions?
Well not all files with what might have a double extension are necessarily bad, suspicious yes, so you can’t but a general rule that would take action on a double extension. The same as there isn’t a general run for some packers that are commonly used to pack malware. Though there are ways to have some packers considered suspect by increasing the heuristic sensitivity.
Avast wouldn’t necessarily be looking at a double extension but the last, in this case .exe so it should have at the very least scanned it, was it scanned ?
If it was scanned and nothing found then the sample should be sent to avast for analysis.
Yes, but I think files with double extensions are far less common than suspicious packers and with double file extensions it’s easier to whitelist good ones like .tar.gz. Plus, if double extensions would only be detected with heuristics to high then I don’t see a problem.
Yes, I used context-menu scan with highest settings + heuristics to high + PUP detection.
I already submitted it to virus lab via Avast GUI
double extensions are used in all the fake UPS / FedEx / DHL mail, the attachment is usually zip.file that contain a doc.exe
the .exe is usually hiding behind a long doc______________________________________________.exe
I thought the email shield was set by default to at least warn about a long string of blank spaces, for exactly that reason.
It is and the on demand scanner is going to catch anything when it’s executed.
@ BoerenkoolMetWorstE
You’re missing my point, essentially it doesn’t matter if a file has 1 or 101 extensions only that avast scan it and detect it if it is malware and in this case it is a missed sample.
So rather than make a rule that you then have to make exceptions for e.g. the legitimate use of multiple extensions, this just makes the UI a mess as there would have to be a means of entering exclusions for that rule.
We don’t know what the underlying processes are in the avast on-demand scan or file system shield scan on the heuristic/behavioural/emulation checks. I don’t know if the file system shield would have fared any better in the emulation scan, but these aren’t the sort of test you want to run on a live system.
It may well have resulted in the autosandbox being suggested. But that sort of thing would have to be don in a virtual environment with full image backup in place just in case.
I’m not in favour of blocking just because it is a multiple extension.
Ha BoerenkoolMetWorstEnJus,
Je kunt een eenvoudig antwoord geven, maar de zaak zit toch een beetje ingewikkelder in elkaar.
Translated this means - There is a simple answer to this, but the whole issue is a bit more complicated.
There are double extensions that are not malicious perse, these are various system dll files. that are MS files and perfectly OK to complicate this issue a bit further. So when in doubt google the file extension(s) and establish what you are left with. A nice general somewhat older but still valid discussion on this subject I have found here and I will present the link:
http://www.misec.net/forum/board/FAQ/1139255660 (author = siliconman01)
Another particular scan situation is with *.doc or *.bat scanning.
A further interesting read could be: http://www.cknow.com/cms/vtutor/file-extensions.html link author = daBoss
polonus
Hi, thanks for the replies and interesting links. I agree that detection of this isn’t something for the average user, but it could be disabled by default. I think Avira has an option for double extensions but I’m not sure about others. I do know that some others have it incorporated in the heuristics engine, so if a file has double extensions the calculated heuristics/danger score of the file will be higher and therefore the file will be flagged sooner than others.
The (.) can also be used to represent spaces in files. To prevent most occurrences of this, I would recommended the ‘double extension’ scanning to only alert when it is with a valid extension. ex: sometext.txt.exe and not Awesome.Image.jpg