Re. ZIP File problem

Julian Field mailscanner at ecs.soton.ac.uk
Wed Oct 20 09:24:32 IST 2004 

<x-flowed>
At 08:23 20/10/2004, you wrote:
>Appended is a statement of the ZIP File "problem" in case others have
>not seen it.

I worked on this last night using Sophos as the virus scanner, and it
detected it just fine. So I don't agree with their comments.

Unpacking zip files for the purpose of virus scanning is all down to the
virus scanning engines, it's not MailScanner's fault. The decompression
Perl module that MailScanner uses for unpacking for other content checking
(in this case just the "filetype" checks) is partly vulnerable. However, as
a 0-length file is created, the filename checks will still work, so you
should still be protected by the virus scanner and the filename checks. So
I don't consider this to be a serious problem that I need/can do much about.

>------------------------------------------------- cut here
>Subject: Multiple anti-virus software evasion
>
> >From the Internet Storm Center
>
>Handlers Diary October 19th 2004
>Updated October 20th 2004 01:05 UTC (Handler: Jason Lam)
>
>Multiple Anti-virus software evasion
>Anti-virus software from McAfee, Computer Associates, Kaspersky, Sophos,
>Eset and RAV are known to be vulnerable to an evasion attack where the
>attacker is able to craft a compressed file (zip) with malicious code
>and evade the scanning by anti-virus software.
>
>
>The problem is caused by incorrect handling of header information within
>the zip file. Some anti-virus software would skip the scan for files
>that has zero size as indicated by the header. The header size
>information does not affect the decompression of the zip file.
>
>
>Reference:
>http://www.idefense.com/application/poi/display?id=153&type=vulnerabilit
>ies&flashstatus=true

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>

More information about the MailScanner mailing list