Feature Request

Jan-Peter Koopmann Jan-Peter.Koopmann at SECEIDOS.DE
Tue Nov 4 13:36:30 GMT 2003


Hi Julian,

I have a feature request. Not sure if and how this can be done but why
not dream about it... :-)

Some virusi obviously start using "wrong" zip files. CRC does not match
and similar things. Today I received some customer complaints that
readnow.zip came through. I analyzed the file a bit and it was only 128
bytes long. Windows XP unzip does not say anything, unzip says things
like

proxy:/tmp # unzip readnow.zip 
Archive:  readnow.zip
warning [readnow.zip]:  3 extra bytes at beginning or within zipfile
  (attempting to process anyway)
file #1:  bad zipfile offset (local header sig):  3
  (attempting to re-compensate)
 extracting: readnow.doc.scr         

Moreover "wrong" ZIP files might not extract with unzip (and therefore
clamav etc. might not catch them) but Windows XP will unzip them without
complaints.

What if we test archives and consider them "Dangerous Contents" (or
similar) when they do not check out (CRC, unzip impossible etc.)? 

Regards,
  JP




More information about the MailScanner mailing list