Re. ZIP File problem
Quentin Campbell
Q.G.Campbell at NEWCASTLE.AC.UK
Wed Oct 20 08:23:59 IST 2004
Appended is a statement of the ZIP File "problem" in case others have
not seen it.
It seems that a short-term defence would be to block ZIP files but that
could be very disruptive here.
Could Julian please clarify whether MailScanner is vulnerable to this
problem? If so what do we need to do to work around it?
We use two A-V products, McAfee and Sophos, and both appear to be
vulnerable. :-(
Will check their sites this morning to see if there is any progress on
fixes from them.
Quentin
---
PHONE: +44 191 222 8209 Information Systems and Services (ISS),
University of Newcastle,
Newcastle upon Tyne,
FAX: +44 191 222 8765 United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."
------------------------------------------------- cut here
Subject: Multiple anti-virus software evasion
>From the Internet Storm Center
Handlers Diary October 19th 2004
Updated October 20th 2004 01:05 UTC (Handler: Jason Lam)
Multiple Anti-virus software evasion
Anti-virus software from McAfee, Computer Associates, Kaspersky, Sophos,
Eset and RAV are known to be vulnerable to an evasion attack where the
attacker is able to craft a compressed file (zip) with malicious code
and evade the scanning by anti-virus software.
The problem is caused by incorrect handling of header information within
the zip file. Some anti-virus software would skip the scan for files
that has zero size as indicated by the header. The header size
information does not affect the decompression of the zip file.
Reference:
http://www.idefense.com/application/poi/display?id=153&type=vulnerabilit
ies&flashstatus=true
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list