McAfee PROBLEM !!! (solved)
Rabellino Sergio
rabellino at DI.UNITO.IT
Thu Mar 4 09:04:38 GMT 2004
Denis Beauchemin wrote:
> Le mer 03/03/2004 à 12:51, Rabellino Sergio a écrit :
>
>>Denis Beauchemin wrote:
>>
>>>Le mer 03/03/2004 à 12:14, Denis Beauchemin a écrit :
>>>
>>>
>>>>Many infected password-protected zip files passed through our McAfee AV
>>>>(using 4332). Nonetheless we detected 341 W32/Bagle.j at MM since
>>>>midnight.
>>>>Le mer 03/03/2004 à 11:34, Michael Baird a écrit :
>>>>
>>>>
>>>>>Good Question, Does DAT 4332 fix it, my understanding was that it
>>>>>handled the unzipping and so forth, and MailScanner interpreted the
>>>>>response, I'm looking for confirmation, I'm running an older version of
>>>>>MailScanner (4.25-14 I believe), I hate to upgrade unless it's
>>>>>necessary.
>>>
>>>
>>>I've taken a look at the Bagle.j detected so far and none were in a zip
>>>file (all were plain pif files).
>>>
>>>So I'd say 4332 is definitely not catching any password-protected Bagle!
>>>
>>>Denis
>>
>>As Bagle encrypt the virus itself in the zip with a random password, how can McAfee (or any other antivirus) catch a
>>virus encrypted in 999999 different forms ? (the password is 6 integer digits)
>
>
> Sergio,
>
> They can't unzip the file but they can compare its size and some
> checksum they computed on infected zip files.
>
But if the file is encrypted, the checksums and lengths changes as the key used change, also the filename used inside
the zip could be changed randomly (if Bagle does not do this now, the next variant will....) so
the complexity remains unchanged, a different zip file for every key used....
The only solution is to ban the zip encrypted files .
--
Dott. Sergio Rabellino
Technical Staff
Department of Computer Science
University of Torino (Italy)
http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
More information about the MailScanner
mailing list