No subject

Chris Trudeau chris at TRUDEAU.ORG
Wed Mar 3 20:15:39 GMT 2004


Sorry for the top post, but I found this on a Microsoft Mailing list, does
this avenue provide a possible solution?

<SNIP>
I've found that the A/V software does see the file within the ZIP archive,
but cannot process it because it does not recognize the extension.  When the
archive is password protected, the file enclosed receives a "+" character at
the end of the extension (ie test.exe becomes test.exe+)  Since the A/V
software doesn't recognize that kind of extension, it lets it pass thru.

I found that by adding the "+" character to file extensions that are blocked
(.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file
extension and perform the necessary actions on it.
</SNIP>

I know this would possibly require a change to filename routines, but is
this possible using MailScanner?

Just a thought.

CT


----- Original Message -----
From: "Garry Glendown" <garry at GLENDOWN.DE>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Wednesday, March 03, 2004 2:38 PM


> Mike McMullen wrote:
> > Could a signature or checksum be calculated that was within a certain
error
> > bounds that said it was the virus zip?
> >
> > I understand that extra random length files could be added to throw off
a
> > checksum but at some point in the bitstream wouldn't there be a
recognizable
> > pattern?
>
> Apart from the unencrypted part (which, as I understand, consists only
> of the filename, length, and checksum) I don't think there are any ways
> to identify a virus - after all, if you could it would defeat the reason
> (or quality) of an encryption. Of those listed above, the checksum will
> most likely be based on the encrypted data, which means it will be
> different for every key used. Also, the lenght (if not for this virus)
> might be different for every mail if the virus writer should decide to
> modify the amount of data written. So, just about anything left is the
> filename, which again only depends on the creativity of the programmer ...
>
> The only other possibility would be to find the password in the
> accompanying message and decrypt the zip using it ... (for encrypted
> zips, the scanner could use every string found in the message and try to
> decode with it ... that would work for any virus message, as the virus
> only makes sense if it is sent together with the password ...)
>
> -gg



More information about the MailScanner mailing list