Ticket #152 (closed test: worksforme)

Opened 3 months ago

Last modified 3 months ago

Suspicious Files - VGX1.tmp, VGX*.tmp (VML Rendering Temp Files)

Reported by: kindlund Assigned to: knwang
Priority: normal Milestone: 1.1
Component: Excluded Registry/File/Process Version: none
Severity: none Keywords: file, exclude, IE, vgx, vml, render, office, file, type
Cc:

Description

So after visiting a known, good website:

http://www.monmouth.army.mil/cecom/pao/infofacts/websiteprogs2.htm

We find the VM has the following suspicious files created: 

C:\WINDOWS\VGX17.tmp
C:\WINDOWS\VGX18.tmp
C:\WINDOWS\VGX19.tmp

After analyzing these files further, they are, in fact, GIF images. Specifically, they are copies of the 3 GIF images found at that website.

It turns out that the webpage actually used Microsoft Word to create the HTML content. As a result, IE attempts to respect the inline VML code placed within the page and renders each image according to that code.

In order to do this rendering properly, IE relies on a VML rendering engine "VGX.dll" to perform these operations. As this engine renders each image, it looks like the "VGX.dll" file writes these VGX*.tmp files out to this directory — rather messy.

Here's more information about VGX.dll: http://www.verisign.com/security-intelligence-service/current-intelligence/vulnerability-advisories/2007/462.html

So, I'm leaning towards adding something like VGX*.tmp to our white-list. If we don't do this, then we'll have to disable the VGX.dll manually, as listed on the Verisign website.

Neither solution looks pretty, but if we don't do this, we'll keep getting this type of false positive.

Any thoughts?

— Darien

Attachments

Change History

03/25/08 20:40:03 changed by kindlund

  • status changed from new to closed.
  • resolution set to worksforme.

Updated exclusion list, r1387.

Add/Change #152 (Suspicious Files - VGX1.tmp, VGX*.tmp (VML Rendering Temp Files))




Change Properties
Action