Seems to me that while the method of executing in a controlled/simulated environment wouldn't work that once its known what the virus is you just check for the bitpattern like anything else. If you use enough bits its highly unlikely to match any other file, encrypted or otherwise. On Thu, 11 Mar 2004 suse@rio.vg wrote:
Quoting Tom Knight <thomas.knight@ahds.ac.uk>:
Has anyone here tried the possible method I mentioned in an earlier post?
"Okay, how to get round this?
Possibly tell your scanner to reject .zip files containing files with extension .exe+. .com+ etc etc.
I haven't actually received a single one of these .zip files, but the above tip was one I saw on the NTBugTraq list which apparently works with Norton Anti-Virus for Exchange V2.1. I imagine amavis/clamAV would be able to be configured this way."
And how would the scanner know what files were in the *ENCRYPTED* zip? That's the whole problem with worms hidden in encrypted zips. If the scanner could open them to see what files were there, it would just scan the files normally.