Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

about microsoft security essentials and pdf files


  • Please log in to reply
13 replies to this topic

#1 seraphin

seraphin

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 08 August 2014 - 08:43 AM

I have to download lots of pdf files for work purposes - need to read up lots of research publications. However, I recently noticed that when I open microsoft security essentials - the only antivirus software running in my PC (use malwarebyte for anti-malware) - and scan those pdf's, for each pdf file, it says that "scan completed on 2 items, no threats were detected on your PC during this scan" ????

I scan ONLY one pdf, but it says 2 items are threat-free. Does pdf file USUALLY come piggy-backed with some other files ????

 

I test-scanned a pdf file I created from WORD document and scanning result showed only 1 item was scanned. So why are there 2 files/items when I download pdfs from the website. The websites where I download the pdf's are all presumably legit (government-sponsored), so why am I getting two (?) files instead of one?

 

Are pdf files safe to download ???

 

Any insight will be appreciated. Thank you.



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 10 August 2014 - 03:04 AM

PDFs can contain embedded files. I did a test with a simple PDF file, and MSE reports 1 item scanned. And when I scan a PDF files with an embedded file, it reports 3 items scanned.

 

Can you share a link to one of the PDF files that has 2 items, so that I can take a look?

 

PDF files are like many other file types: they can be malicious.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 IllusionEclipse

IllusionEclipse

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chillin in my Compspace
  • Local time:07:31 AM

Posted 10 August 2014 - 06:55 AM

I've used MSE since I first got this laptop (It came with it 4 years back) and still use it to this day. I have seen the same thing happen when scaning a single file, MSE has shown that the one file I chose to scan came back with a few more scans. It shouldn't be much of a concern unless it does find a threat.


An illusion is as real as the person who sees it, but wouldn't that be an illusion in and of itself?


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:31 PM

Posted 10 August 2014 - 07:43 AM


Please follow Didier Stevens's instructions so he can have a look and advise you further.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 rp88

rp88

  • Members
  • 2,980 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:31 PM

Posted 10 August 2014 - 11:05 AM

i've seen this behaviour, not with MSE but with avg. sometimes when i scan all the files in a folder it double counts them. not just for pdf s but also for png, jpeg,gif,and many other types.


Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 seraphin

seraphin
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 12 August 2014 - 07:33 AM

Sorry for the delay.

Here is one link to a scientific publication. After you download the PDF and ask MSE to scan it, it will tell you "scan completed on 2 items (and No threats were detected on your pc during this scan).

http://www.plosone.org/article/info%3Adoi%2F10.1371%2Fjournal.pone.0102408



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 12 August 2014 - 02:20 PM

Your file has no embedded files nor JavaScript.

 

But when I scan it with MSE on Windows 7, only one item is scanned, not two.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 12 August 2014 - 02:26 PM

Your file has no embedded files nor JavaScript.

 

But when I scan it with MSE on Windows 7, only one item is scanned, not two.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 12 August 2014 - 02:27 PM

Your file has no embedded files nor JavaScript.

 

But when I scan it with MSE on Windows 7, only one item is scanned, not two.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 12 August 2014 - 02:28 PM

Your file has no embedded files nor JavaScript.

 

But when I scan it with MSE on Windows 7, only one item is scanned, not two.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 12 August 2014 - 02:33 PM

Your file has no embedded files nor JavaScript.

 

But when I scan it with MSE on Windows 7, only one item is scanned, not two.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 seraphin

seraphin
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 12 August 2014 - 08:22 PM

Aha -

I was a bit worried and thought my laptop could be infected. Then I tried to download the file using different browsers.

It turns out the test-file downloaded using chrome contains a single item whereas same file downloaded using Firefox (which is my default browser) contains two items, per MSE scanning.

So now it's clear that the issue is probably Firefox's fault (considering that it's my default). Should I be worried then ?????? Or if anyone could explain to me what Firefox is up to (wasting my precious HD space for one). Any insight will be appreciated. Great many thanks.



#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 13 August 2014 - 12:08 PM

This makes me think of Alternate Data Streams. Are you familiar with them?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:31 PM

Posted 13 August 2014 - 02:42 PM

I confirm, I just added an alternate data stream to your PDF file I downloaded (I did it like this: echo extra > journal.pone.0102408.pdf:data).

Then I rebooted, and then I let MSE scan again: now I have 2 items in stead of 1.

 

Since browsers like Internet Explorer add stream data to indicate that a file was downloaded from the Internet, I guess this is what you experience.

 

You can use Sysinternal's stream utility to view these streams.

 

More about alternate data stream:

http://www.irongeek.com/i.php?page=security/altds


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users