blocking SDG files?
Rick Cooper
rcooper at DWFORD.COM
Tue Mar 29 18:14:24 IST 2005
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
-----Original Message-----
From: MailScanner mailing list
[mailto:MAILSCANNER at JISCMAIL.AC.UK]On Behalf Of Fractal IT Dept.
Sent: Tuesday, March 29, 2005 10:17 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: blocking SDG files?
Scott Silva wrote:
You might try to run it through the "file"
command.
Hi Scott,
I've run the file through the "file" command and I get
'unknown readable demand paged pure executable'. I'm not sure
what that means though.
I have also had a look at the file in a hex editor, and it
certainly doesn't look like a standard dos/windows executable
file. It's missing the usual "MZ" at the beginning of the
file, for one. To me, this file looks like a binary data
file.
[Rick Cooper]
A demand paged executable is an executable compiled to load only
parts of the executable at load time, and then load a needed page
directly from the executable when it's required. So if you have a
large executable that doesn't always need certain functions they
can be compiled as pages and it reduces the load time and memory
requirements at the expense of execution speed when the given page
is required.
As I recall the windows PE executables include a MSDOS MZ (possibly
MZP) header and stub (that say must be run under windows) and the
PE32 does not, I believe the PE32 starts with a COFF header and
that would be something like 16 bytes of non ASCII data relating to
machine target, section count and a few pointers. So I would
suppose it would be easy to mistake a binary data file with no
header for a PE32. Conversely would not recognize a PE32 file as a
typical Microsoft format (because it really isn't, it's unix based
in reality) because there would not be a MSDOS header and stub so
no MZ or MZP.
I kind of doubt that there is a magic entry for a Star Office
Graphic file since there is no firm structure for it... I would
think quarantine and release would be the only answer
Rick
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean. ------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list