Avatar of rpgeegange
 asked on

Bypass firewall using images

I'm new to network administration. I have seen some file comming from internet to our trusted company network as images. When I view these files it displays lots of dots and rendered as a valid image file also.

How can I detect and stop with out stoping the entire web site which hosts the particular images ?

I think we use Checkpoint firewall.

Web ApplicationsSecuritySoftware Firewalls

Avatar of undefined
Last Comment

8/22/2022 - Mon
Patrick Bogers


Could you be a little more precise about what is happening?
Are there images being uploaded through a web application or ....?
Where are the images been stored and in what format?

Hi Patricksr1972,
Thanks for the reply.
These image are stored in free image hosting sites. Downloaded by some program from inside the network.
These images are in png format. I'm not sure it is using stenography.
Patrick Bogers

ok, and where are they stored? A share or someone home directory?

What are you thinking? It is some sort of malware?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

I'm not sure whether it is a malware or not. because I can see an some doted image in it. They were stored in "my documents".
It can be liked this, malware convert its components to an image then get them through the firewall and then, decode it again.

If it is an malware, how can I stop it ?
Patrick Bogers


You could download malwarebytes and have a full scan running, you will know soon enough.

how can block images like this ? is there such ways ? I have read about this regarding image blocking mechanisms. how this technology works ? will it helps me ?

Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Craig Beck

You need a UTM device or firewall which can do AV scanning.

Besides the below to chec on the machine downloaded with potential malicious content

Indeed some traditional FW does ICAP means to send files such as images to anti virus server and supposed to offload their performance and this capabilities off box. However there can be limit to file size,  delay and false positive of sending corrupted files choking the entry check. Traditional  FW cannot keep up hence next gen FW and UTM based FW gain traction and bigger appeal. ..there is application delivery content that does this. In all you are  looking deep content inspection with anti malware or bot check coupled with real time threat feeds cum content filtering to prevent badsites reach from user, where possible.

Checkpoint software blades technology is their move into UTM. They are keen competitor to Palo alto which seems to have started the NGFW "trend". Anti APT is all saying to be preventive for the hard sale...nonetheless, you can check this blade and other associated in Checkpoint portfolio


It also couple with content filter or proxy like Websense gateway..but as a whole endpoint serves the next layer if the image bypass and evade. Password protected or obfuscated files easily avoid detection hence breach detection device came to picture like FireEye, XPS, Netwitness, Solera etc...layer checks and no one size fits all...in simple takeaway

Hi, this kind of reminds me of  3D Stereograms
Stereograms are 3D images hidden within another picture.

Is this what you are typically seeing?
Can you determin who is downloading them?
In Sep 15, 2004  Microsoft's monthly security update was highlighted by a JPEG-handling vulnerability that could allow pictures in the format to provide access to remote code execution.
But that was patched way back then.
Do you have Microsoft's Malicious Software Removal Tool  updated from windows updates?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

No one good full proof solution as eventually we are going against beyond signature based detection.  You can catch this


What can be done? I believe a key perspective to dealing with this evasion technique is to better understand the suspicious nature of the file transfer. Consider it “contextual awareness”. Despite not being able to dissect and analyze the malicious binary directly, understanding the context of its transport will likely provide enough circumstantial evidence to arrive at a comfortable conclusion as to the maliciousness of the binary

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.