Does Malwarebytes examine jpeg image files?

[nantucketbob]

When scanning for malware, does Malwarebytes scan individual jpeg (jpg) files for embedded malware?

[David H. Lipman]

No.  Files with JFIF ( JPEG ) in their header are not scanned for malicious code.  However an executable file masquerading as a JPEG will be scanned for malicious code.

Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files.  That means MBAM will not target; JS, JSE,  PY, .HTML, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 and later specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.

 

NOTE:  Malwarebytes' Anti-Exploit ( MBAE ) is designed to deal with many of the types of malware associated with scripts, documents and media files where MBAE will protect the computer against Exploitation attempts whether they were exploits of software vulnerabilities or taking advantage of an application in an unusual way and works at an "action level" and not a "file level" like MBAM. MBAE provides protection of applications that are commonly  known to be associated with and normally used by the file type.
Reference:  MBAE FAQ

 

Edited July 23, 2016 by David H. Lipman

[hardrock2112]

I see this post is over 2 years old and I had the same question.  I am wondering if the entire answer given to the O.P. is still accurate as of now?  Surprised to see doc, docx and some other popular carriers not scanned.  Looking forward to any updated information.  Thanks.

[nantucketbob]

I never received a notice that the question was addressed.back on July 26, 2016.   Perhaps I assumed incorrectly that I would be notified if an answer appeared.

The issue is:  I don't understand the answer.  It is too technical.  I am guessing the correct answer is "NO." 

I don't understand the issue, why it cannot look inside a jpeg file.  Of all the files jpeg is extremely common.  Every digital camera I know shoots jpeg.  It should also examine DNG files, Digital Negative Files, an Adobe format in the public domain.

 

 

[David H. Lipman]

It is still accurate.  MBAM doesn't target non-executable binaries via signatures.

Graphic files do not "infect".  At most a graphic file may be designed to exploit a flaw in a graphic rendering module.  There has to a process involved that uses the graphic file exploit to take advantage of the act.  On a similar theme, a graphic file may be modified through steganography.  Even this altered version can not infect.  It would need an ancillary script or executable to extract what may have been embedded through a steganographic process.

 

Edited September 30, 2018 by David H. Lipman
Spelling, Grammar and Clarification

[nantucketbob]

I am sure your answer is correct, but it is written in a style that I do not fully comprehend.  I get the point, however.

[Maurice Naggar]

Image files ( like actual JPEG files) are not targeted by the program.   

What is new since this thread was from summer of 2016 ....... was is changed in the Malwarebytes program is this.

Malwarebytes 3 Premium contains multiple protections, including anti-exploit.  Malwarebytes 3 Premium has layers of technology like anomaly detection , behavior matching, and application hardening. 

[exile360]

Just to add to the information already shared by the others, the main point is that even though the primary Malware Protection component/scan engine of Malwarebytes does not target malicious scripts, documents and images, the method that such files use to actually launch an attack to infect a system are targeted by other components of Malwarebytes protection, in particular the Exploit Protection component as this is the shield most relevant to attacks that involve files of these types (i.e. a web exploit tries to download and run a malicious script - Exploit Protection detects and blocks the web exploit stopping the attack before it is able to infect the system; you download and try to open a malicious image file which contains malicious code (i.e. an exploit that tries to execute a malicious script through your image viewing software) - Exploit Protection detects the exploit attempt as soon as the file is opened and attempts to attack your system, stopping the attack in its tracks and preventing infection; you download a malicious document from the web or open one attached to an email - Exploit Protection detects the exploit within the malicious document trying to exploit a vulnerability in your office software and stops the attack before it can go any further to infect your system, thus preventing infection etc. etc.).

Malwarebytes 3 has many layers, and since some, like Exploit Protection, do not rely on signatures/definitions and instead look at process behavior they are able to stop even new and unknown threats that use these methods of attack which makes this one of the most proactive protection components in Malwarebytes.

You can learn more about the various layers in Malwarebytes Premium and how they work to protect your system by reviewing the diagram and information found on this page.

If you wish to learn more about specific threats, types of attacks (such as exploits) and much more about the tools and methods the bad guys use to attempt to infect devices and scam users you can read any of the many freely available articles published on Malwarebytes Labs Blog and you can also search Malwarebytes Labs Threat Center.

You'll find a general glossary of common terms used for classifying various threats along with other terms often referenced on this and other tech/malware research sites here. 

Malwarebytes also has tons of online videos on various topics in the MBTV Archive and you can also search/browse Malwarebytes Support Knowledgebase if you wish to learn more about Malwarebytes products, known issues, or to get help on various topics related to Malwarebytes products and services and of course you can always post here on the forums again if you have any questions or issues and need our help with anything as well as contact Malwarebytes Support directly via the options found on this page if you prefer to work with a member of Support one-on-one to ask a question or solve a problem.

Malwarebytes has many resources available with great information if you wish to learn more about modern threats and how they work.

[nantucketbob]

I have Malwarebytes Premium 3.5.1.  It works, and has saved me from a couple disasters.

Not sure what a "Script" is. 

Yes, this was an old post, 2016, but I do not recall receiving an answer to it.  I am glad someone revived it.

[David H. Lipman]

Computer code comes in two forms;  Compiled and Interpreted.  This "code" is a Computer Language.  Just like there are different Human Languages that we all mentally interpret, computers have different languages such as;  Java, JavaScript, BASIC, Pascal, C++, KiXtart, Machine Code, OS Command Interpreters ( BAT and CMD ), 4DOS, etc.

Compiled code generates an Executable file as demonstrated in the 2^cnd graphic is Post #2.  It shows a Compiled code for Microsoft Windows. The two graphics are captured from a utility that allows one to see the actual contents of computer files.

A Script is a series of commands used by an Interpreted Language which interprets what the command is and performs the function that command indicates.  Each Interpreter has a Library of Commands.  Each command has a Syntax or a particular format that command must use or it will not work as expected.  Each language has its own set of commands and rules and thus each language has its own syntax that must be followed.

In short, MBAM will not look at a script and determine if it is malicious or not via a signature process.  What it will do is instead of acting on this type of passive file, MBAM reacts upon the activity and actions the file performs or is made to perform.