File extensions to exclude from scanning

[Malte Persike]

Hello everybody,

currently I'm using the student version of McAfee VirusScan 7 on my
Windows XP computer. The McAfee software allows for providing a
whitelist of file extensions that will not get scanned.

While I have the on-demand scanner scheduled to undertake a full scan
of all files every 10 days, I wished the on-access scanner was a
little less resource demanding. Setting the on-access scanner to scan
all files slows down my computer significantly so I would prefer to
exclude harmless files from the scanning process.

My question is: are there relatively "safe" file extensions (like TXT,
BMP, INI) and does a ready-to-use list of these extensions exists?

Kind regards,
Malte

 

[Nick FitzGerald]

currently I'm using the student version of McAfee VirusScan 7 on my
Windows XP computer. The McAfee software allows for providing a
whitelist of file extensions that will not get scanned.

Yes -- a rather silly feature mainly there for historical reasons
rather than because it is of any significant use to many people...

While I have the on-demand scanner scheduled to undertake a full scan
of all files every 10 days, ...

Another largely pointless, though somewhat less harmful, feature
also retained for mainly historical reasons.

... I wished the on-access scanner was a
little less resource demanding. Setting the on-access scanner to scan
all files slows down my computer significantly so I would prefer to
exclude harmless files from the scanning process.

The problem here is that unless the scanner gets to look at a file to
see what it really contains, there is no way of knowing what type of
file (and therefore whether it is potentially malware carrying) it is.
Your apparent assumption that the file extension is the only thing
under Windows that matters for determining file type is a commonly
held, but far from accurate, belief. It only takes _one_ "rogue"
file type that can carry a virus or other malware and that can be
recognized (almost) regardless of its filename extension, to "require"
"all files" scanning. The bad news (for folk with your belief that
filename extension is sufficient grounds for determining filr type),
is that there are many, several of which are part of a default Windows
installation and are "required" by more or less core system
functionalities.

My question is: are there relatively "safe" file extensions (like TXT,
BMP, INI) and does a ready-to-use list of these extensions exists?

Actually, that is two questions. The answer to the first -- which you
had not asked thus far -- is "Of course"; there are many essentially
safe file types. The problem is your conflation of actual file type
with filename extension in the second question. It is invalid and an
approach bound to bring trouble...

 

[Why so many stars for so few four-leaf clovers?]

In

Actually, that is two questions. The answer to the first -- which you
had not asked thus far -- is "Of course"; there are many essentially
safe file types. The problem is your conflation of actual file type
with filename extension in the second question. It is invalid and an
approach bound to bring trouble...

Yes Nick, However, it's strange that MacAfee ask for a list of supposed safe
extensions while, usualy, antivirus software does the contrary and ask for a
list of unsafe extensions (at least at real-time protection).



--

Jean-Luc Cavey
Paris, France
E-Mail : (e-mail address removed)
http://canon.cavey.org/

 

[FromTheRafters]

In

Yes Nick, However, it's strange that MacAfee ask for a list of supposed safe
extensions while, usualy, antivirus software does the contrary and ask for a
list of unsafe extensions (at least at real-time protection).

What to scan, and what not to scan (by extension) are
equally at fault for judging a book by its cover if they
are indeed thinking in terms of safe/unsafe.

A list of file extensions to skip, is not the same as a list
of "safe" filetypes (filetypes as judged by extension). I
think that the feature may still have some worthwhile
application in that you can skip the scanning of files with
extensions that *you* have deemed safe to skip.

As for actual filetypes, the scanner would have to look
first to determine the filetype, and I believe that some
will abort the scan on some filetypes once they are
identified on a case by case basis. If you have large
data files, you can use the exclusion list to completely
avoid the useless (time consuming) scanning of those
data files.

 

[James Egan]

Yes Nick, However, it's strange that MacAfee ask for a list of supposed safe
extensions while, usualy, antivirus software does the contrary and ask for a
list of unsafe extensions (at least at real-time protection).

You have missed his point completely. It doesn't matter whether you
give a list of safe or unsafe extensions since safe "extensions" and
safe "filetypes" are completely different things.

For example, try renaming a ms word document from filename.doc to
(say) filename.j1m and then double clicking it. Unless the .j1m
extension has a specific association with another program (unlikely)
then double clicking it will open it in ms word. Consequently, since
(eg.) ms word documents can carry viruses and can be opened by double
clicking *any* extension which isn't associated elsewhere then *ALL*
extensions must be scanned.


Jim.

 

[Nick FitzGerald]

Yes Nick, However, it's strange that MacAfee ask for a list of supposed safe
extensions while, usualy, antivirus software does the contrary and ask for a
list of unsafe extensions (at least at real-time protection).

I believe you are wrong, at least for a freash install. By default it scans
all (or almost all) files (does it still (stupidly) install with a default
exemption for the recycled/recycler folders??) and like, so many other
scanners, from a quick assessment of the contents work out if it is a type
that needs scanning?

In an update install I guess NAI may have fallen into the stupidity trap NAV
was in for too many years where, on installing as an upgrade, it kept all the
old settings including all the type/extension to scan and/or to ignore ones,
rather than "intelligently" insisting on adding any types/extensions to the
must be scanned (or removing them from the exemptions list) for the types that
previously were not considered viurusable...

(Anyway, all this kind of stupidity falls under the "silly feature mainly
there for historical reasons" clause... )

 

[null]

I believe you are wrong, at least for a freash install. By default it scans
all (or almost all) files (does it still (stupidly) install with a default
exemption for the recycled/recycler folders??) and like, so many other
scanners, from a quick assessment of the contents work out if it is a type
that needs scanning?

McAfee DOS has a switch named /ALLOLE with the description, "treat all
files as compound/OLE". I know that OLE means Object Linking and
Embedding but I've never been clear on exactly what the scanner does
when this switch is set. It seems to be the closest thing to the
F-Prot DOS /TYPE switch which treats files by their structure rather
than by their file extension.


Art
http://www.epix.net/~artnpeg

 

[Malte Persike]

Your apparent assumption that the file extension is the only thing

under Windows that matters for determining file type is a commonly
held, but far from accurate, belief.

Dear Nick,

thank you very much for your reply. Nevertheless be assured that I am
fully aware of the difference between file types and file extensions.
The fact that any file type can be obfuscated by assigning an
arbitrary file extension to the file in question is one of the many
things I dislike about the Windows file system conception.

This holds even though current versions of Windows do collect separate
meta information about certain files that allow the explorer to
distinguish between file type an file extension. One example would be
the discrimination of Word HTML files from other HTML sources
regardless of the identical file extension. This meta information does
not get statically stored in the registry but is collected by looking
at the file contents when needed.

It only takes _one_ "rogue"
file type that can carry a virus or other malware and that can be
recognized (almost) regardless of its filename extension, to "require"
"all files" scanning.

Granted. But in my understanding it is nothing else than the "type vs.
extension" issue which introduces the aspect of relative safety I was
talking about. TXT files, for example, as well as files from a large
group of other extensions will presumably never get executed unless
they are renamed to a file extension which signals an executable file.
Hence, even if a TXT file carried malicious binary code, it is at
worst "deactivated" code.
That is why I still need my on-demand scanner because I want to get
rid of such files once in a while.

The problem is your conflation of actual file type
with filename extension in the second question. It is invalid and an
approach bound to bring trouble...

Allow me to gently point you to the fact that no conflation exists in
my posting since I never used the term "file type". With the phase
"relatively safe" I intended to communicate the following:

My question adresses the problem whether or not it is possible for
files with extensions that indicate an essentially safe file type - as
you called them - to be harmful to my system. Without me changing
their type to an executable one, of course.
And in conclusion, if that was not the case, I would be very delighted
if a whitelist of such file extensions existed.

Regards,
Malte

---

The above e-mail address is not valid. To
contact me, please use my real e-mail address:

malte AT t DASH online DOT de

 

[kurt wismer]

Malte Persike wrote:
[snip]

Allow me to gently point you to the fact that no conflation exists in
my posting since I never used the term "file type". With the phase
"relatively safe" I intended to communicate the following:

so you want a list of relatively safe file extensions...

ok...

-- start list --
-- end list --

no, i'm not being facetious...

My question adresses the problem whether or not it is possible for
files with extensions that indicate an essentially safe file type - as
you called them - to be harmful to my system.

yes it is possible... example - .rtf should be safe but isn't... you
yourself pointed out another example, .html should be safe but isn't...

things that get opened in word represent an entire class of threats
(it's not the only client app of this sort, of course), and since we
can't possibly know what your particular file associations are, we
don't really know what extensions will launch word (or one of the other
client apps that do similarly security brain dead things)...

frankly, even if extension *did* equal type, changable file
associations voids any default safety for all extensions... what might
be safe on my machine might not be safe on yours...

 

[FromTheRafters]

My question adresses the problem whether or not it is possible for
files with extensions that indicate an essentially safe file type - as
you called them - to be harmful to my system. Without me changing
their type to an executable one, of course.

Any unassociated extension could be dangerous, so such a list
would have to be made from the machine associations on your
target system. There is a registry (hack?) patch to cause your
machine to associate otherwise unregistered extensions with a
program of your choice (such as notepad) to hopefully avoid
this problem.

And in conclusion, if that was not the case, I would be very delighted
if a whitelist of such file extensions existed.

Many people may have their own versions of such a list, but
as long as the above situation hasn't been fixed, they are sadly
wrong. Every extension on their whitelist must be registered
with an associated action ~ if just one isn't, and it is detected
by its structure to be a Word document, it could execute some
malware on the system.