As a secondary line of defence, we use the Windows Ressource Manager to monitor file creation on our network shares. Every extension that is not whitelisted blocks further network access.
Just recently we observed a false positive when a user saved a screenshot. Turned out that the user replaced the proposed file name with something like "test", but without a file extension. As the file type was set to PNG, the file should have been created as "test.png".
Seems like XnView first creates the file as "test" (triggering the filter), and only afterwards renames the file to "test.png".
Can this be changed or is there a specific reason for this behaviour?
Lars
File creation triggers ransomware filter
Moderators: helmut, XnTriq, xnview