RE: [suse-security] NAI on unix do not find actual virus
"Mrvka Andreas" <mrv@tuev.at> wrote:
hi,
i use the NAI product for my SuSE Linux 9 distribution. VirusScan for Unix: with actual engine and Dat file...
----<text snipped>---
i copied the exe file out of the zip file and ran the uvscan but nevertheless i was unsuccessful :-(
And you are unhappy ??? My father has a saying: "Don't go looking for trouble, it will find you soon enough." Unless you have a test environment that is off the web, please don't go opening up stange files... However, in this case i would suspect that SuSE or one of the ISP's stripped out the virus, IAE, i hope so ... if not maybe a re-install would be a good idea --- especailly if your machine is dual boot ... There is also a Urban Lengend that the anti-virus people update their dat files as soon as they hear of new virus -- just so people feel good --- however,in some cases it may take them a while before they actually have a fix. You might want to try again running your virus scan. -- "Paranoia is heightened awareness." -- __________________________________________________________________ Introducing the New Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp
-----Original Message----- From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] Sent: 10 March 2004 07:49 To: suse-security@suse.com Subject: RE: [suse-security] NAI on unix do not find actual virus
"Mrvka Andreas" <mrv@tuev.at> wrote:
hi,
i use the NAI product for my SuSE Linux 9 distribution. VirusScan for Unix: with actual engine and Dat file...
----<text snipped>---
i copied the exe file out of the zip file and ran the uvscan but nevertheless i was unsuccessful :-(
And you are unhappy ???
My father has a saying:
"Don't go looking for trouble, it will find you soon enough."
Unless you have a test environment that is off the web, please don't go opening up stange files...
Indeed. Looking at this again, you probably want to test using the eicar test file, http://www.eicar.org/anti_virus_test_file.htm. It's a harmless text file that all AV software detecta as a virus. No I won't send it to you - my mail server probably wouldn't let it through! Tom.
-----Ursprüngliche Nachricht----- Von: Tom Knight [mailto:thomas.knight@ahds.ac.uk] Gesendet: Mittwoch, 10. März 2004 12:34
-----Original Message----- From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] Sent: 10 March 2004 07:49
"Mrvka Andreas" <mrv@tuev.at> wrote:
hi,
i use the NAI product for my SuSE Linux 9 distribution. VirusScan for Unix: with actual engine and Dat file...
----<text snipped>---
i copied the exe file out of the zip file and ran the uvscan but nevertheless i was unsuccessful :-(
And you are unhappy ???
yes, i AM unhappy! for a mailserver virus scanning it's so nice, to let viruses go through...
My father has a saying:
"Don't go looking for trouble, it will find you soon enough."
Unless you have a test environment that is off the web, please don't go opening up stange files...
Indeed.
Looking at this again, you probably want to test using the eicar test file, http://www.eicar.org/anti_virus_test_file.htm. It's a harmless text file that all AV software detecta as a virus.
No I won't send it to you - my mail server probably wouldn't let it through!
i know this virus. i fact, my virus scan detect all viruses except this one which is in a password protected zip file. NAI's product based on microsoft servers can detect him. I try to ask NAI directly, as i read here...
Tom.
thanks, Andrew
On Wed, 10 Mar 2004 12:53:31 +0100 "Mrvka Andreas" <mrv@tuev.at> wrote:
-----Ursprüngliche Nachricht----- Von: Tom Knight [mailto:thomas.knight@ahds.ac.uk] Gesendet: Mittwoch, 10. März 2004 12:34
-----Original Message----- From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] Sent: 10 March 2004 07:49
"Mrvka Andreas" <mrv@tuev.at> wrote:
hi,
i use the NAI product for my SuSE Linux 9 distribution. VirusScan for Unix: with actual engine and Dat file...
----<text snipped>---
i copied the exe file out of the zip file and ran the uvscan but nevertheless i was unsuccessful :-(
And you are unhappy ???
yes, i AM unhappy! for a mailserver virus scanning it's so nice, to let viruses go through...
My father has a saying:
"Don't go looking for trouble, it will find you soon enough."
Unless you have a test environment that is off the web, please don't go opening up stange files...
Indeed.
Looking at this again, you probably want to test using the eicar test file, http://www.eicar.org/anti_virus_test_file.htm. It's a harmless text file that all AV software detecta as a virus.
No I won't send it to you - my mail server probably wouldn't let it through!
i know this virus. i fact, my virus scan detect all viruses except this one which is in a password protected zip file.
NAI's product based on microsoft servers can detect him.
I try to ask NAI directly, as i read here...
Tom.
thanks, Andrew
Is it not well known that the virus scanners are not able to detect this virus precisely because it is in a password protected zip file? The Virus SWAT team at my job posed this very issue when announcing the virus to employees. The team instructed employees to delete the e-mail, or forward it to the team for analysis. The password is supposed to be included in the body of the e-mail, which you're supposed to open yourself so the virus can then do it's thing. The whole purpose, I gather, for putting the virus in the zip file was to avoid detection by the scanners. I was not aware that NAI had the ability to detect the visurs on Windows servers. Regards, Don
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----Original Message----- From: Don Parris [mailto:dcparris@earthlink.net] Sent: 10 March 2004 18:11 To: suse-security@suse.com Subject: Re: AW: [suse-security] NAI on unix do not find actual virus
On Wed, 10 Mar 2004 12:53:31 +0100 "Mrvka Andreas" <mrv@tuev.at> wrote:
-----Ursprüngliche Nachricht----- Von: Tom Knight [mailto:thomas.knight@ahds.ac.uk] Gesendet: Mittwoch, 10. März 2004 12:34
-----Original Message----- From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] Sent: 10 March 2004 07:49
"Mrvka Andreas" <mrv@tuev.at> wrote:
hi,
i use the NAI product for my SuSE Linux 9 distribution. VirusScan for Unix: with actual engine and Dat file...
----<text snipped>---
i copied the exe file out of the zip file and ran the uvscan but nevertheless i was unsuccessful :-(
And you are unhappy ???
yes, i AM unhappy! for a mailserver virus scanning it's so nice, to let viruses go
through...
My father has a saying:
"Don't go looking for trouble, it will find you soon enough."
Unless you have a test environment that is off the web, please don't go opening up stange files...
Indeed.
Looking at this again, you probably want to test using the eicar test file, http://www.eicar.org/anti_virus_test_file.htm. It's a harmless text file that all AV software detecta as a virus.
No I won't send it to you - my mail server probably wouldn't let it through!
i know this virus. i fact, my virus scan detect all viruses except this one which is in a password protected zip file.
NAI's product based on microsoft servers can detect him.
I try to ask NAI directly, as i read here...
Tom.
thanks, Andrew
Is it not well known that the virus scanners are not able to detect this virus precisely because it is in a password protected zip file? The Virus SWAT team at my job posed this very issue when announcing the virus to employees. The team instructed employees to delete the e-mail, or forward it to the team for analysis. The password is supposed to be included in the body of the e-mail, which you're supposed to open yourself so the virus can then do it's thing. The whole purpose, I gather, for putting the virus in the zip file was to avoid detection by the scanners. I was not aware that NAI had the ability to detect the visurs on Windows servers.
Has anyone here tried the possible method I mentioned in an earlier post? "Okay, how to get round this? Possibly tell your scanner to reject .zip files containing files with extension .exe+. .com+ etc etc. I haven't actually received a single one of these .zip files, but the above tip was one I saw on the NTBugTraq list which apparently works with Norton Anti-Virus for Exchange V2.1. I imagine amavis/clamAV would be able to be configured this way." Tom.
Quoting Tom Knight <thomas.knight@ahds.ac.uk>:
Has anyone here tried the possible method I mentioned in an earlier post?
"Okay, how to get round this?
Possibly tell your scanner to reject .zip files containing files with extension .exe+. .com+ etc etc.
I haven't actually received a single one of these .zip files, but the above tip was one I saw on the NTBugTraq list which apparently works with Norton Anti-Virus for Exchange V2.1. I imagine amavis/clamAV would be able to be configured this way."
And how would the scanner know what files were in the *ENCRYPTED* zip? That's the whole problem with worms hidden in encrypted zips. If the scanner could open them to see what files were there, it would just scan the files normally.
/ 2004-03-11 10:47:04 -0500 \ suse@rio.vg:
Quoting Tom Knight <thomas.knight@ahds.ac.uk>:
Has anyone here tried the possible method I mentioned in an earlier post?
"Okay, how to get round this?
Possibly tell your scanner to reject .zip files containing files with extension .exe+. .com+ etc etc.
I haven't actually received a single one of these .zip files, but the above tip was one I saw on the NTBugTraq list which apparently works with Norton Anti-Virus for Exchange V2.1. I imagine amavis/clamAV would be able to be configured this way."
And how would the scanner know what files were in the *ENCRYPTED* zip? That's the whole problem with worms hidden in encrypted zips. If the scanner could open them to see what files were there, it would just scan the files normally.
Typically even for an encrypted zip file, its TOC is still clear text. So, if unzip -l suspicious.zip | grep "I am a virus.exe" is successful, you can safely remove it without even unpacking it :) Lars Ellenberg
-----Original Message----- From: suse@rio.vg [mailto:suse@rio.vg] Sent: 11 March 2004 15:47 To: suse-security@suse.com Subject: RE: AW: [suse-security] NAI on unix do not find actual virus
Quoting Tom Knight <thomas.knight@ahds.ac.uk>:
Has anyone here tried the possible method I mentioned in an
earlier post?
"Okay, how to get round this?
Possibly tell your scanner to reject .zip files containing files with extension .exe+. .com+ etc etc.
I haven't actually received a single one of these .zip files, but the above tip was one I saw on the NTBugTraq list which apparently works with Norton Anti-Virus for Exchange V2.1. I imagine amavis/clamAV would be able to be configured this way."
And how would the scanner know what files were in the *ENCRYPTED* zip? That's the whole problem with worms hidden in encrypted zips. If the scanner could open them to see what files were there, it would just scan the files normally.
It doesn't. Make the assumption that anyone sending a .exe in a password protected zip file is sending a virus. Tom.
On Thu, Mar 11, 2004 at 05:03:37PM -0000, Tom Knight wrote:
And how would the scanner know what files were in the *ENCRYPTED* zip? That's the whole problem with worms hidden in encrypted zips. If the scanner could open them to see what files were there, it would just scan the files normally.
There's a bit flag in the zip file header for that purpose (see http://www.pkware.com/products/enterprise/white_papers/appnote.html). -- Michel Messerschmidt lists@michel-messerschmidt.de antiVirusTestCenter, Computer Science, University of Hamburg
Seems to me that while the method of executing in a controlled/simulated environment wouldn't work that once its known what the virus is you just check for the bitpattern like anything else. If you use enough bits its highly unlikely to match any other file, encrypted or otherwise. On Thu, 11 Mar 2004 suse@rio.vg wrote:
Quoting Tom Knight <thomas.knight@ahds.ac.uk>:
Has anyone here tried the possible method I mentioned in an earlier post?
"Okay, how to get round this?
Possibly tell your scanner to reject .zip files containing files with extension .exe+. .com+ etc etc.
I haven't actually received a single one of these .zip files, but the above tip was one I saw on the NTBugTraq list which apparently works with Norton Anti-Virus for Exchange V2.1. I imagine amavis/clamAV would be able to be configured this way."
And how would the scanner know what files were in the *ENCRYPTED* zip? That's the whole problem with worms hidden in encrypted zips. If the scanner could open them to see what files were there, it would just scan the files normally.
On Thu, Mar 11, 2004 at 09:26:21PM -0500, Dana Hudes wrote:
Seems to me that while the method of executing in a controlled/simulated environment wouldn't work that once its known what the virus is you just check for the bitpattern like anything else. If you use enough bits its highly unlikely to match any other file, encrypted or otherwise.
That doesn't work for polymorphic viruses and viruses that use randomly generated encryption passwords. -- Michel Messerschmidt lists@michel-messerschmidt.de antiVirusTestCenter, Computer Science, University of Hamburg
participants (8)
-
Dana Hudes -
Don Parris -
GarUlbricht7@netscape.net -
Lars Ellenberg -
Michel Messerschmidt -
Mrvka Andreas -
suse@rio.vg -
Tom Knight