Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: AW: [suse-security] NAI on unix do not find actual virus
  • From: Lars Ellenberg <l.g.e@xxxxxx>
  • Date: Thu, 11 Mar 2004 17:38:10 +0100
  • Message-id: <3lAZ+m6Q6LrZdmtJ+2EPH8s=lge@xxxxxx>
/ 2004-03-11 10:47:04 -0500
\ suse@xxxxxx:
> Quoting Tom Knight <thomas.knight@xxxxxxxxxx>:
> >
> > Has anyone here tried the possible method I mentioned in an earlier post?
> >
> > "Okay, how to get round this?
> >
> > Possibly tell your scanner to reject .zip files containing
> > files with extension .exe+. .com+ etc etc.
> >
> > I haven't actually received a single one of these .zip files,
> > but the above tip was one I saw on the NTBugTraq list which
> > apparently works with Norton Anti-Virus for Exchange V2.1. I
> > imagine amavis/clamAV would be able to be configured this way."
> >
>
> And how would the scanner know what files were in the *ENCRYPTED* zip? That's
> the whole problem with worms hidden in encrypted zips. If the scanner could
> open them to see what files were there, it would just scan the files normally.

Typically even for an encrypted zip file, its TOC is still clear text.
So, if unzip -l suspicious.zip | grep "I am a virus.exe"
is successful, you can safely remove it without even unpacking it
:)

Lars Ellenberg

< Previous Next >
References