Attachments - packed files
Craig Pratt
craig at STRONG-BOX.NET
Mon Mar 3 20:20:11 GMT 2003
I just tested RAV AV with the infamous 42.zip file and it doesn't seem
to phase it.
It must incorporate some kind of heuristic to limit how much archive
decompression it does. The output it produces is:
RAV AntiVirus command line for Linux i686.
Version: 8.3.1.
Copyright (c) 1996-2001 GeCAD The Software Company. All rights
reserved.
Scan engine 8.11 for i386.
Last update: Mon Mar 3 09:18:44 2003
Scanning for 77551 malwares (viruses, trojans and worms).
Scan started on Mon Mar 3 12:09:36 2003
42.zip - OK
42.zip->lib 3.zip - OK
42.zip->lib 3.zip->book 3.zip - OK
42.zip->lib 3.zip->book 3.zip->chapter 4.zip - OK
42.zip->lib 3.zip->book 3.zip->chapter 4.zip->doc 0.zip - OK
Scan ended on Mon Mar 3 12:09:36 2003
Scan results:
Time: 0 second(s).
Objects scanned: 5. New objects: 5
Infected: 0. Different virus bodies: 0.
Files: 1. Directories: 0. Archives: 5. Packed: 0. Mail files: 0.
Warnings: 0.
Yet it does work with a nasty zip I created with 3 EICAR test files:
eicar.zip.zip.zip.zip - OK
eicar.zip.zip.zip.zip->eicar.com Infected: EICAR_Test_File
eicar.zip.zip.zip.zip->eicar.zip.zip.zip - OK
eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip - OK
eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip
- OK
eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip-
>eicar.com Infected: EICAR_Test_File
eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.com Infected:
EICAR_Test_File
Time: real 0m1.440s user 0m1.330s sys 0m0.090s
So I'd say RAV's doing a good job - FWIW.
Craig
On Monday, March 3, 2003, at 12:02 PM, Simon Dick wrote:
> On Mon, 2003-03-03 at 19:16, Julian Field wrote:
>> At 17:47 03/03/2003, you wrote:
>>> Julian Field <mailscanner at ECS.SOTON.AC.UK> wrote ..
>>>> At 15:37 03/03/2003, you wrote:
>>>>> I want to just make sure that MailScanner doesn't unpack
>>>>> attachments with a corresponding external program. Why am I asking?
>>>>> Some antivirus scanners aren't perfect and I want to unpack all the
>>>>> compressed attachments for them and then let them scan the unpacked
>>>>> files. Has anybody written such hack or his own antivirus wrapper?
>>>>
>>>> All the decent anti-virus programs unpack every common archive
>>>> format
>>>> already. If your scanning engine doesn't unpack archives, then I
>>>> suggest
>>>> you buy a better one :-)
>>>> You are quite correct, MailScanner doesn't unpack archives (as it
>>>> doesn't
>>>> need to).
>>>> --
>>>> Julian Field
>>>> www.MailScanner.info
>>>> MailScanner thanks transtec Computers for their support
>>>
>>> To be honest, even those decent antivirus programs aren't perfect.
>>> The majority of the programs are black boxes, you just believe that
>>> it works. MailScanner is a nice program and maybe it would be nice
>>> to have a separate layer for unpacking, where you can control for
>>> example the nesting depth and prevent various DoS attacks.
>>
>> MailScanner is already protected against this type of DoS attack. The
>> famous "zip of death" causes no problem at all.
>
> Until you get to the virus scanners checking it, I've tried that 42.zip
> file with my install of mailscanner (not the latest version now, but it
> was at the time) and both f-prot and clamav used most of the cpu time.
> Shame there's no way to detect the zip file before passing it through
> :|
>
> --
> Simon Dick <simon at advantage-interactive.com>
>
> --
> This message checked for dangerous content by MailScanner on StrongBox.
>
--
This message checked for dangerous content by MailScanner on StrongBox.
More information about the MailScanner
mailing list