McAfee PROBLEM !!! (solved)

[MailScanner]

Zip attachments only make up 0.3% of our mail traffic by message count.
Spending a bit more time on them would not significantly increase the
overhead. Some filters may have higher percentages to chew through
obviously, but in the tradition of MS's excellent tweakability, this
would be an option, not mandatory. 

Bart...

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Chris Yuzik
Posted At: 05 March 2004 22:13
Posted To: MailScanner
Conversation: McAfee PROBLEM !!! (solved)
Subject: Re: McAfee PROBLEM !!! (solved)


Bart,

This is a very interesting idea. I'm not sure how much extra overhead
this would cause for MailScanner though. It's almost like you'd have to
spawn a separate process to attempt to decrypt the zip...and somehow
pass all the words to try.

I'll follow this thread to see what other ideas people come up with.

Cheers,
Chris

MailScanner wrote:

>MS could check the body of the message and try all words within ten
words of 'password' to unlock the encrypted zip file, plus all phrases
in the filename of the attachment. E.g. phrases like 'The password for
this zip file is abracadabra' or 'use abracadabra when prompted for a
password' will allow it to crack the zip.
>
>This would expose the cleartext virus code which may still change, but
AV software has been able to deal with morphing viruses for a while now.
>
>Even if the contents of the zip were benign, we could still
block/quarantine the message as 'uselessly encrypted zip file' since the
only point in sending a encrypted file and its key in the same message
is to bypass automated scanning.
>
>Bart...
>
>