No subject

Julian Field mailscanner at ecs.soton.ac.uk
Wed Mar 3 20:34:43 GMT 2004 

At 20:15 03/03/2004, you wrote:
>Sorry for the top post, but I found this on a Microsoft Mailing list, does
>this avenue provide a possible solution?
>
><SNIP>
>I've found that the A/V software does see the file within the ZIP archive,
>but cannot process it because it does not recognize the extension.  When the
>archive is password protected, the file enclosed receives a "+" character at
>the end of the extension (ie test.exe becomes test.exe+)  Since the A/V
>software doesn't recognize that kind of extension, it lets it pass thru.
>
>I found that by adding the "+" character to file extensions that are blocked
>(.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file
>extension and perform the necessary actions on it.
></SNIP>
>
>I know this would possibly require a change to filename routines, but is
>this possible using MailScanner?

The zip archive unpacking I do doesn't add anything to the end of the filename.


>Just a thought.
>
>CT
>
>
>----- Original Message -----
>From: "Garry Glendown" <garry at GLENDOWN.DE>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Wednesday, March 03, 2004 2:38 PM
>
>
> > Mike McMullen wrote:
> > > Could a signature or checksum be calculated that was within a certain
>error
> > > bounds that said it was the virus zip?
> > >
> > > I understand that extra random length files could be added to throw off
>a
> > > checksum but at some point in the bitstream wouldn't there be a
>recognizable
> > > pattern?
> >
> > Apart from the unencrypted part (which, as I understand, consists only
> > of the filename, length, and checksum) I don't think there are any ways
> > to identify a virus - after all, if you could it would defeat the reason
> > (or quality) of an encryption. Of those listed above, the checksum will
> > most likely be based on the encrypted data, which means it will be
> > different for every key used. Also, the lenght (if not for this virus)
> > might be different for every mail if the virus writer should decide to
> > modify the amount of data written. So, just about anything left is the
> > filename, which again only depends on the creativity of the programmer ...
> >
> > The only other possibility would be to find the password in the
> > accompanying message and decrypt the zip using it ... (for encrypted
> > zips, the scanner could use every string found in the message and try to
> > decode with it ... that would work for any virus message, as the virus
> > only makes sense if it is sent together with the password ...)
> >
> > -gg

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list