Attachments - packed files
Julian Field
mailscanner at ecs.soton.ac.uk
Mon Mar 3 20:41:18 GMT 2003
At 20:20 03/03/2003, you wrote:
>I just tested RAV AV with the infamous 42.zip file and it doesn't seem
>to phase it.
Great. The other ones tend to consume CPU time until MailScanner comes
along and kills them for taking too long.
>It must incorporate some kind of heuristic to limit how much archive
>decompression it does. The output it produces is:
>
> RAV AntiVirus command line for Linux i686.
> Version: 8.3.1.
> Copyright (c) 1996-2001 GeCAD The Software Company. All rights
>reserved.
>
> Scan engine 8.11 for i386.
> Last update: Mon Mar 3 09:18:44 2003
> Scanning for 77551 malwares (viruses, trojans and worms).
>
> Scan started on Mon Mar 3 12:09:36 2003
>
> 42.zip - OK
> 42.zip->lib 3.zip - OK
> 42.zip->lib 3.zip->book 3.zip - OK
> 42.zip->lib 3.zip->book 3.zip->chapter 4.zip - OK
> 42.zip->lib 3.zip->book 3.zip->chapter 4.zip->doc 0.zip - OK
>
> Scan ended on Mon Mar 3 12:09:36 2003
>
> Scan results:
> Time: 0 second(s).
> Objects scanned: 5. New objects: 5
> Infected: 0. Different virus bodies: 0.
> Files: 1. Directories: 0. Archives: 5. Packed: 0. Mail files: 0.
> Warnings: 0.
>
>Yet it does work with a nasty zip I created with 3 EICAR test files:
>
> eicar.zip.zip.zip.zip - OK
> eicar.zip.zip.zip.zip->eicar.com Infected: EICAR_Test_File
> eicar.zip.zip.zip.zip->eicar.zip.zip.zip - OK
> eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip - OK
> eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip
> - OK
>
>eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.zip.zip->eicar.zip-
> >eicar.com Infected: EICAR_Test_File
> eicar.zip.zip.zip.zip->eicar.zip.zip.zip->eicar.com Infected:
>EICAR_Test_File
>
>Time: real 0m1.440s user 0m1.330s sys 0m0.090s
>
>So I'd say RAV's doing a good job - FWIW.
>
>Craig
>
>On Monday, March 3, 2003, at 12:02 PM, Simon Dick wrote:
>>On Mon, 2003-03-03 at 19:16, Julian Field wrote:
>>>At 17:47 03/03/2003, you wrote:
>>>>Julian Field <mailscanner at ECS.SOTON.AC.UK> wrote ..
>>>>>At 15:37 03/03/2003, you wrote:
>>>>>> I want to just make sure that MailScanner doesn't unpack
>>>>>>attachments with a corresponding external program. Why am I asking?
>>>>>>Some antivirus scanners aren't perfect and I want to unpack all the
>>>>>>compressed attachments for them and then let them scan the unpacked
>>>>>>files. Has anybody written such hack or his own antivirus wrapper?
>>>>>
>>>>>All the decent anti-virus programs unpack every common archive
>>>>>format
>>>>>already. If your scanning engine doesn't unpack archives, then I
>>>>>suggest
>>>>>you buy a better one :-)
>>>>>You are quite correct, MailScanner doesn't unpack archives (as it
>>>>>doesn't
>>>>>need to).
>>>>>--
>>>>>Julian Field
>>>>>www.MailScanner.info
>>>>>MailScanner thanks transtec Computers for their support
>>>>
>>>>To be honest, even those decent antivirus programs aren't perfect.
>>>>The majority of the programs are black boxes, you just believe that
>>>>it works. MailScanner is a nice program and maybe it would be nice
>>>>to have a separate layer for unpacking, where you can control for
>>>>example the nesting depth and prevent various DoS attacks.
>>>
>>>MailScanner is already protected against this type of DoS attack. The
>>>famous "zip of death" causes no problem at all.
>>
>>Until you get to the virus scanners checking it, I've tried that 42.zip
>>file with my install of mailscanner (not the latest version now, but it
>>was at the time) and both f-prot and clamav used most of the cpu time.
>>Shame there's no way to detect the zip file before passing it through
>>:|
>>
>>--
>>Simon Dick <simon at advantage-interactive.com>
>>
>>--
>>This message checked for dangerous content by MailScanner on StrongBox.
>
>
>--
>This message checked for dangerous content by MailScanner on StrongBox.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
More information about the MailScanner
mailing list