Blocking exe's, pif's, etc inside Zip file

[Denis Beauchemin]

Le jeu 26/02/2004 à 12:03, Julian Field a écrit :
> This is something I have started to look at. One of the problems is working
> out how it can be attacked and how best to handle the attacks.
> 
> I would like to be able to check all the names in all the zip files that
> might be contained within further zip files, which could all be in 1 zip
> file attached to the message. If I check n levels down, someone will just
> pack their files in n+1 levels to beat me. Making sure that cannot be
> attacked is tricky.

Julian,

Ever since I told people that we might have to resort to block zip files
I got angry answers.

People have many legitimate uses for zip files and blocking them because
viruses have started to travel that way seems to be a major irritant
around here.

I had to block them on Monday night for 3-4 hours because I was afraid
about Mydoom.f (shouldn't have been since I had the extra.dat in place
to detect it) and during that time about 10 people asked for quarantined
zip files (many were students turning in homework).

I think that exploring a small number of levels of zip recursion would
be sufficient.  Zip files that recurse more deeply should simply be
quarantined.  Of course the level could be user-selectable but I think
that 5 could be enough for many.

Thanks again for taking the time to look into this ongoing project that
saves our lives every day!

Denis
-- 
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045