Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
RE: AW: [suse-security] NAI on unix do not find actual virus
  • From: Dana Hudes <dhudes@xxxxxxxxxxx>
  • Date: Thu, 11 Mar 2004 21:26:21 -0500 (EST)
  • Message-id: <Pine.LNX.4.58.0403112125030.28796@xxxxxxxxxxxxxxxxxxxx>
Seems to me that while the method of executing in a controlled/simulated
environment wouldn't work that once its known what the virus is you just
check for the bitpattern like anything else. If you use enough bits
its highly unlikely to match any other file, encrypted or otherwise.


On Thu, 11 Mar 2004 suse@xxxxxx wrote:

> Quoting Tom Knight <thomas.knight@xxxxxxxxxx>:
> >
> > Has anyone here tried the possible method I mentioned in an earlier post?
> >
> > "Okay, how to get round this?
> >
> > Possibly tell your scanner to reject .zip files containing
> > files with extension .exe+. .com+ etc etc.
> >
> > I haven't actually received a single one of these .zip files,
> > but the above tip was one I saw on the NTBugTraq list which
> > apparently works with Norton Anti-Virus for Exchange V2.1. I
> > imagine amavis/clamAV would be able to be configured this way."
> >
>
> And how would the scanner know what files were in the *ENCRYPTED* zip? That's
> the whole problem with worms hidden in encrypted zips. If the scanner could
> open them to see what files were there, it would just scan the files normally.
>
>

< Previous Next >
References