Virus detected - ?

Can anyone tell me what the 'freeimage.dll' file is in DAZ please, because my anti-virus software keeps flagging it up as 'software that may cause harm to your computer and/or data' and it is also flagging it as 'spyware'.

 

Any advice will be welcome.... Thanks

«1

Comments

  • LeanaLeana Posts: 11,690

    It's part of the dll in the libs\iray folder, so I guess it's used for Iray...

  • jontaylor99jontaylor99 Posts: 213
    Leana said:

    It's part of the dll in the libs\iray folder, so I guess it's used for Iray...

    Yes that is correct, I found it there also, but I don't understand why it's getting flagged up as spyware and/or virus.

  • Richard HaseltineRichard Haseltine Posts: 100,781

    Have you scanned with an alternative, on-demand scanner? I think it may be the image IO library, which is a generic library.

  • jontaylor99jontaylor99 Posts: 213

    Have you scanned with an alternative, on-demand scanner? I think it may be the image IO library, which is a generic library.

    No, I haven't got an alternative one installed and the only ones I've found online seem to want to scan my whole system, which will take up an awful long time.

    This is the first time this file has been flagged up so it must be something new that's been added to my DAZ libraries very recently, I've not downloaded any updates (that I'm aware of) and I've not added any new products for quite some time now so I don't understand where it came from, or if it's always been there, how come it is now getting flagged? Very strange, I may delete it and see what happens.

  • Richard HaseltineRichard Haseltine Posts: 100,781

    It could also be that the AV updated its heuristic scanning (which I suspect is what this is - just a guess on general pattern rather than a real virus0. Of course it's remotely possible that some piece of malware has attached itself to your installation, but that seems unlikely in the absence of any other alerts.

  • jontaylor99jontaylor99 Posts: 213

    It could also be that the AV updated its heuristic scanning (which I suspect is what this is - just a guess on general pattern rather than a real virus0. Of course it's remotely possible that some piece of malware has attached itself to your installation, but that seems unlikely in the absence of any other alerts.

    Well, I took the file out, rather than delete it and iray rendering doesn't appear to work without this file in place, I tried a few quick renders and all the surfaces just showed up in a rather strange pink colour.

    I put the file back and everything works fine again, so what ever this 'freeimage.dll' is it looks like we do need it in there.

  • ToborTobor Posts: 2,300

    Freeimage is a popular open source graphics manipulation software. You likely will not get outfile images, if anything at all, if you delete it.

    It's likely a false positive, but you can verify by uploading your specific DLL file to VirusTotal. Force a new scan, and see what they say. You can also submit your file to your anti-malware vendor for verification.

    The freeimage.dll file can be recompiled based on custom changes (though if it is altered, Daz must provide the source code of their changes, which they may have somewhere on their site), and so there can be many variations of this DLL file floating around. Your anti-virus program may be noting that your file doesn't match the common "freeimage.dll" that's available, and might assume it's a sneaky replacement.

    Once you are satisfied the file is not a virus, simply add it as an exception. The manual for your anti-virus program will explain how to do that, if you're unfamiliar with the process.

  • I also got a virus alert form Kaspersky, and I did what was recommanded: erase the file. But now, as jontaylor99 said, my renders are all pink...

    How can I get my missing file back ? May I have to re-install all DAZ ?

    Thanks in advance for the reply.

  • Richard HaseltineRichard Haseltine Posts: 100,781

    I also got a virus alert form Kaspersky, and I did what was recommanded: erase the file. But now, as jontaylor99 said, my renders are all pink...

    How can I get my missing file back ? May I have to re-install all DAZ ?

    Thanks in advance for the reply.

    If you can't restore it from quarantine then yes, reinstall DS

  • jontaylor99jontaylor99 Posts: 213

    I also got a virus alert form Kaspersky, and I did what was recommanded: erase the file. But now, as jontaylor99 said, my renders are all pink...

    How can I get my missing file back ? May I have to re-install all DAZ ?

    Thanks in advance for the reply.

    Yann, if you download DAZ from the website and install it manually it will overwrite and replace anything that is missing without destroying any of your other stuff. Just direct it to your install folder and follow the prompt to overwrite.

  • @Richard

    The file is definitely erased, even the backup that I copy/past on an another hard drive (Kaspesky is very picky about suspicious files),

     

    @Jontaylor99

    OK thanks a lot for you solution :) I'll do that.

  • jontaylor99jontaylor99 Posts: 213
    Tobor said:

    Freeimage is a popular open source graphics manipulation software. You likely will not get outfile images, if anything at all, if you delete it.

    It's likely a false positive, but you can verify by uploading your specific DLL file to VirusTotal. Force a new scan, and see what they say. You can also submit your file to your anti-malware vendor for verification.

    The freeimage.dll file can be recompiled based on custom changes (though if it is altered, Daz must provide the source code of their changes, which they may have somewhere on their site), and so there can be many variations of this DLL file floating around. Your anti-virus program may be noting that your file doesn't match the common "freeimage.dll" that's available, and might assume it's a sneaky replacement.

    Once you are satisfied the file is not a virus, simply add it as an exception. The manual for your anti-virus program will explain how to do that, if you're unfamiliar with the process.

    Thanks Tobor, I've added it to the 'exception' list now and things seem fine again.

  • This is instructions for Win8 and DAZ Install Manager - don't know how well it works for other OS

    I didn't have to reinstall DAZ Studio - here is what I did

    if you have the zip file in your Install Manager Folder - look for IM00013176-02_DAZStudio49Win64bit.zip -

    just find the zip file and look inside the zip 

    :\InstallManager\Downloads\IM00013176-02_DAZStudio49Win64bit.zip\DAZ Studio_4.5_(64-Bit)\DAZ 3D\DAZStudio4\libs

    you will find the file freeimage.dll there -

    drag it into C:\Program Files\DAZ 3D\DAZStudio4\libs folder (or whatever folder you have installed DAZ into

    when your AntiVirus program shows it as a virus just tell it to ignore always or whatever your AV program has for exception

    easier than redownloading and reinstalling - works fine for me

  • SigurdSigurd Posts: 1,086

    Thank you. I just noticed this myself and I was wondering. I deleted it and then ended up having to reinstall Daz. Anyone know the purpose of this new file that my computer tags as a potenetially malicious virus?

  • Richard HaseltineRichard Haseltine Posts: 100,781
    edited July 2016

    It's an open-source image handling library - and it isn't new, what's new is the (possibly overzealous) Kaspersky algorithm or signature set.

    Post edited by Richard Haseltine on
  • PDSmithPDSmith Posts: 712

    Looks to me like Daz needs to contact Kaspersky and tell them it's safe.  I was hit with the same thing this morning with the Kaspersky update, I'd filled a trouble ticket.

  • MadbatMadbat Posts: 382

    Panda flagged it as suspicious as well, it's not just kapersky getting overzealous. I did check it with malwarebytes premium, just in case and it's fine. The file itself is used by quite a few programs so I'd expect Kapersky and the rest will hear all about very quickly lol. 

  • IvyIvy Posts: 7,165

     got the same alert today as well with my updated version of kaspersky .

  • jcbunnjcbunn Posts: 270

    AV programs are only as good as there scanners

    here is a compared scan of freeimage.dll

    https://www.virustotal.com/en/file/ce43cd3b94f03a933b2d06df7ee1423e1b9d9cc9b5520bbca5ffee4a8d8f58e3/analysis/

  • ToborTobor Posts: 2,300

    The thing with freeimage.dll is that it can be recompiled by anyone wanting to use the library. It's open source code. When an executable (which is what a DLL is) has been recompiled, its signature changes, and this is likely what these anti-virus programs are looking for. It is not a good system, but better than nothing.

    What the anti-virus programs need to do is use a different set of heuristics to identify the file as suspicious. This may be what the others are doing, or else, freeimage.dll isn't on their radar as a potential malware backdoor. 

     

  • kimhkimh Posts: 388

    I thought I was going crazy and wondering what I was doing wrong. All my renders are pink so I followed the instructions above. However, there is no freeimage.dll file in the last version of the download.

    The first image shows the folder IM00013176-02_DAZStudio49Win64bit.zip\DAZ Studio_4.5_(64-Bit)\DAZ 3D\DAZStudio4\libs\iray\

    The second image shows installed files and as you can see there is supposed to be a freeimage file but it's greyed out because nothing was installed

    I even tried manually downloading and installing that way but with the same result...no freeimage.dll file

    I will open a ticket but if  someone is trying to resolve using the above methods, it might be a lesson in frustration

     

    NoFreeimagedllfile.PNG
    997 x 474 - 46K
    NoFreeimagedllfile-2.PNG
    543 x 624 - 48K
  • kimhkimh Posts: 388
    edited October 2016
    kimh said:

    I thought I was going crazy and wondering what I was doing wrong. All my renders are pink so I followed the instructions above. However, there is no freeimage.dll file in the last version of the download.

    The first image shows the folder IM00013176-02_DAZStudio49Win64bit.zip\DAZ Studio_4.5_(64-Bit)\DAZ 3D\DAZStudio4\libs\iray\

    The second image shows installed files and as you can see there is supposed to be a freeimage file but it's greyed out because nothing was installed

    I even tried manually downloading and installing that way but with the same result...no freeimage.dll file

    I will open a ticket but if  someone is trying to resolve using the above methods, it might be a lesson in frustration

    Ignore my post. Apparently once I deleted Daz Studio completely and reinstalled it, Kaspersky found the file and I was able to exclude it....I did have a freeimage file which must have been corrupted or something. It got removed when I reinstalled over the existing install. I know it wasn't quarantined because I checked there. It's a mystery as to why this happened but it's fixed now...yay

     

    kimh said:

     

     

    Post edited by kimh on
  • AndySAndyS Posts: 1,438

    For the DAZ developers it seem a general custom to use formalisms similar to or original virus sigatures.

    I got several alerts in the past.

  • mjc1016mjc1016 Posts: 15,001
    AndyS said:

    For the DAZ developers it seem a general custom to use formalisms similar to or original virus sigatures.

    I got several alerts in the past.

    No, it's more like the AV industry has a penchant for marking OpenSource code as 'dangerous' because the low-lifes that create viruses are fond of using it instead of cooking up their own...

    If you are getting an 'alert' for a component dll and don't have a secondary AV to run it against you can always go here...

    https://virusscan.jotti.org/

    And scan it.   90+++% of the time when only one or two AVs flag something...it is most likely (more than 99% assurance) to mean it is a false positive.  Also, when something is flagged, look at what the AV is calling it...just because it flags something as 'dangerous' doesn't mean it is an infection...often it means it is a 'tool' that can be used to create malware (or a lot of legitimate programming tasks).

  • JD_MortalJD_Mortal Posts: 760
    edited October 2016

    The flagging is most-likely due to a "new exploit" found with JPEG image processors. Programs not "patched" with the new exploit protection, are vulnerable to attack, and thus, a potential for viral exploitation. (Though, I assume DAZ3D would not be a primary target. The virus scanners have no clue if it is a shared-DLL or a solitary-use DLL. {Used by many programs, or used only by one.})

    As a protection, it monitors the files which have the exploit issue. That file is one known to "have the exploit issue".

    No, it is not a virus itself. Though, a virus trying to exploit your computer may ALSO have that same old-code within it, from that same exact DLL.

    FYI, Update all your web browsers, and windows, as they are all subject to the exploit recently found. It allows a remote operator to gain access to critical memory allocations, beyond the scope of the purposely malformed image used in the exploit. Thus, gaining access to anything you have in RAM, VIA a web browser or compromised program that "looks" for specific data to harvest or commands to alter, to gain permissions for your whole OS.

    Post edited by JD_Mortal on
  • mjc1016mjc1016 Posts: 15,001
    JD_Mortal said:

    The flagging is most-likely due to a "new exploit" found with JPEG image processors. Programs not "patched" with the new exploit protection, are vulnerable to attack, and thus, a potential for viral exploitation. (Though, I assume DAZ3D would not be a primary target. The virus scanners have no clue if it is a shared-DLL or a solitary-use DLL. {Used by many programs, or used only by one.})

    As a protection, it monitors the files which have the exploit issue. That file is one known to "have the exploit issue".

    No, it is not a virus itself. Though, a virus trying to exploit your computer may ALSO have that same old-code within it, from that same exact DLL.

    FYI, Update all your web browsers, and windows, as they are all subject to the exploit recently found. It allows a remote operator to gain access to critical memory allocations, beyond the scope of the purposely malformed image used in the exploit. Thus, gaining access to anything you have in RAM, VIA a web browser or compromised program that "looks" for specific data to harvest or commands to alter, to gain permissions for your whole OS.

    No...some AVs have been flagging freeimage.dll for quite a while now..close to a year.

  • JD_MortalJD_Mortal Posts: 760
    JD_Mortal said:
    No...some AVs have been flagging freeimage.dll for quite a while now..close to a yea

    It is a common type of exploit. Due to JPG's crazy size potential limits and people constantly trying to exploit it. Microsoft usually hot-patches a fix that forces it to NOT go to those limits, even when the DLL tries. (Which is where this latest exploit actually fails. It shows the correct image-size, not the exploited size, but the size in memory is still the proposed size, which gives all that data the same "All access" privileges as the image itself, and windows freely feeds any program that data from that memory address, as long as it is in range of the fake image size. As opposed to the actual data-size of the image. Images contain the length and width and "bits" that they consume, instead of just reading the number of bits and seeing the sizes... It helps to "Jump" to an area of an image, without having to read the whole image at once, before hand. That is how it exploits the memory issue. It asks for the data at position X-Y, which is actually not data from the image, but your other thing in memory. Since windows already has permission, it freely dumps that data to the program and moves-on. Even if it is your cached passwords, your OS credentials, or information about your secure connections. Thus, mostly exploited in web-browsers, since the data around the image will most-likely be something web-related, which is what it is looking for, to alter or just steal for later use.)

     

    However, this is a current issue. Being flagged in the past is irrelevant to being flagged "again" now. They surely patched those exploits, and this is now a new one, bringing it back on top of the list for detection. (That stops people from using vaporware, if no-one is around to patch it, it will eventually be blacklisted by windows and just fail to work at all. :P Rare, but it happens. Usually windows just kindly re-writes those lines of machine-code, so it operates as windows wants, not as it is originally intended to operate, with the exploit code. That is why viruses have been so few far and between in the last ten years. Ten years ago, viruses would pop-up daily. I haven't seen one on ANY of my systems in the last ten years. Guess they all moved to Mac-owners, since they are rich enough to pay exorbitant amounts of money for yesterdays technology. :P)

    Old related material... The "freeimage.dll" worm... Highly destructive... (Old news) http://www.completelyuninstallprogram.com/freeimage-dll/

    The latest "issue", which is not just limited to the source program, as most programs within windows, including freeimage.dll, use similar "free code".

    http://www.talosintelligence.com/reports/TALOS-2016-0193/

    also...

    http://thehackernews.com/2016/10/openjpeg-exploit-hack.html

    But, the fear is crying wolf, if your windows is up to date... The file in question, is "safe", even if it is not, because the chances of a virus seeking-out iray or daz3d folders for an unpatched file, is slim-to-none. I am sure the dll will be patched soon anyways, if it is not already patched, or if it is submitted for exemption to the scanners.

  • mjc1016mjc1016 Posts: 15,001

    It has been an ongoing issue, particularly with one AV.  Look back over the forums...'pink renders' is the typical symptom and has been happening, nearly constantly for a while now.

  • AndySAndyS Posts: 1,438

    If you really have this oppinion - continue to let your computers being corrupted !!

     

    All others request: Please DAZ Team ! Stop using virus signitures !

     

    Thank you.

  • mjc1016mjc1016 Posts: 15,001

    The complaint about freeimage.dll should be directed at Nvidia...since it is REQUIRED by Iray.

Sign In or Register to comment.