Attachments - packed files

Julian Field mailscanner at ecs.soton.ac.uk
Mon Mar 3 19:16:33 GMT 2003 

At 17:47 03/03/2003, you wrote:
>Julian Field <mailscanner at ECS.SOTON.AC.UK> wrote ..
> > At 15:37 03/03/2003, you wrote:
> > >         I want to just make sure that MailScanner doesn't unpack
> > >attachments with a corresponding external program. Why am I asking?
> > >Some antivirus scanners aren't perfect and I want to unpack all the
> > >compressed attachments for them and then let them scan the unpacked
> > >files. Has anybody written such hack or his own antivirus wrapper?
> >
> > All the decent anti-virus programs unpack every common archive format
> > already. If your scanning engine doesn't unpack archives, then I suggest
> > you buy a better one :-)
> > You are quite correct, MailScanner doesn't unpack archives (as it doesn't
> > need to).
> > --
> > Julian Field
> > www.MailScanner.info
> > MailScanner thanks transtec Computers for their support
>
>To be honest, even those decent antivirus programs aren't perfect.
>The majority of the programs are black boxes, you just believe that
>it works. MailScanner is a nice program and maybe it would be nice
>to have a separate layer for unpacking, where you can control for
>example the nesting depth and prevent various DoS attacks.

MailScanner is already protected against this type of DoS attack. The
famous "zip of death" causes no problem at all.

>  Then you
>just keep the unpacking utilities up-to-date. I'm surprised that
>nobody has attempted to program such thing.

It's actually quite difficult, as you can't rely on the filename to be
honest about the compression type, so you would have to try all the
decompressors in turn and find which one works. And then you open yourself
up to all sorts of attacks including malicious filenames in the archives
which the decompressors don't check properly. Keeping it all in the memory
of the virus scanner is a *whole lot* safer.

And the decent virus scanners can unpack virtually everything that a user
can unpack.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

More information about the MailScanner mailing list