McAfee PROBLEM !!! (solved)

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Wed Mar 3 18:58:53 GMT 2004


Le mer 03/03/2004 à 12:51, Rabellino Sergio a écrit :
> Denis Beauchemin wrote:
> > Le mer 03/03/2004 à 12:14, Denis Beauchemin a écrit :
> > 
> >>Many infected password-protected zip files passed through our McAfee AV
> >>(using 4332).  Nonetheless we detected 341 W32/Bagle.j at MM since
> >>midnight.
> >>Le mer 03/03/2004 à 11:34, Michael Baird a écrit :
> >>
> >>>Good Question, Does DAT 4332 fix it, my understanding was that it
> >>>handled the unzipping and so forth, and MailScanner interpreted the
> >>>response, I'm looking for confirmation, I'm running an older version of
> >>>MailScanner (4.25-14 I believe), I hate to upgrade unless it's
> >>>necessary.
> > 
> > 
> > I've taken a look at the Bagle.j detected so far and none were in a zip
> > file (all were plain pif files).
> > 
> > So I'd say 4332 is definitely not catching any password-protected Bagle!
> > 
> > Denis
> As Bagle encrypt the virus itself in the zip with a random password, how can McAfee (or any other antivirus) catch a 
> virus encrypted in 999999 different forms ? (the password is 6 integer digits)

Sergio,

They can't unzip the file but they can compare its size and some
checksum they computed on infected zip files.

Denis
-- 
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045




More information about the MailScanner mailing list