HEADS UP - viruses in password protected zip files

Richard Lynch rich at MAIL.WVNET.EDU
Mon Mar 1 23:11:40 GMT 2004


Gene LeDuc wrote:

>Hi Kevin,
>
>My company has always blocked passworded zips.  If the gateway can't unzip the
>file, it gets blocked.  It's a brain-dead gateway, so I won't embarrass
>myself (by association) by saying what it is.
>
>On Monday 01 March 2004 02:05 am, Spicer, Kevin wrote:
>
>
>>This virus is spreading rapidly, we've seen it overnight (although not in
>>its password protected form - but we had no way of spotting that so it may
>>have got through).
>>
>>I'm now blocking zip files (making me not very popular this morning!).
>>
>>Time to start a discussion about ways to block password protected zip
>>files?
>>
>>
Kevin,  Did you find a way to block only password protected zips?  We've
seen a couple of hundred Bagle.F and Bagle.H incidents today.  An update
from Mcafee started catching Bagle.F but not Bagle.H yet.  For now I'm
blocking all zips.  I'd like to just block the password protected ones
but haven't figured out a way to do it.  I suspect Mcafee uses a
simplistic approach to detecting this.  I won't go into why I think this
for security reasons.  I do think were rapidly heading towards
permanently restricted password protected zips.  If the content of any
type of file can't be validated then we'll have to restricted it.  So,
any idea how to do this?

--
Richard E. Lynch <rich at mail.wvnet.edu>
Systems Programming Manager
West Virginia Network (WVNET)
837 Chestnut Ridge Road
Morgantown, WV  26505
(304) 293-5192 x243



More information about the MailScanner mailing list