Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
RE: AW: [suse-security] NAI on unix do not find actual virus
  • From: "Tom Knight" <thomas.knight@xxxxxxxxxx>
  • Date: Thu, 11 Mar 2004 08:57:09 -0000
  • Message-id: <ICELJOHAGNAFJPFMMBKOKEAOCFAA.thomas.knight@xxxxxxxxxx>


> -----Original Message-----
> From: Don Parris [mailto:dcparris@xxxxxxxxxxxxx]
> Sent: 10 March 2004 18:11
> To: suse-security@xxxxxxxx
> Subject: Re: AW: [suse-security] NAI on unix do not find actual virus
>
>
> On Wed, 10 Mar 2004 12:53:31 +0100
> "Mrvka Andreas" <mrv@xxxxxxx> wrote:
>
> >>
> >>
> >>>-----Ursprüngliche Nachricht-----
> >>>Von: Tom Knight [mailto:thomas.knight@xxxxxxxxxx]
> >>>Gesendet: Mittwoch, 10. März 2004 12:34
> >>>
> >>>> -----Original Message-----
> >>>> From: GarUlbricht7@xxxxxxxxxxxx [mailto:GarUlbricht7@xxxxxxxxxxxx]
> >>>> Sent: 10 March 2004 07:49
> >>>>
> >>>> "Mrvka Andreas" <mrv@xxxxxxx> wrote:
> >>>> >
> >>>> > hi,
> >>>> >
> >>>> > i use the NAI product for my SuSE Linux 9 distribution.
> >>>> > VirusScan for Unix: with actual engine and Dat file...
> >>>>
> >>>> ----<text snipped>---
> >>>>
> >>>> > i copied the exe file out of the zip file and ran the uvscan but
> >>>> > nevertheless i was unsuccessful :-(
> >>>> >
> >>>>
> >>>> And you are unhappy ???
> >>
> >>yes, i AM unhappy!
> >>for a mailserver virus scanning it's so nice, to let viruses go
> through...
> >>
> >>>>
> >>>> My father has a saying:
> >>>>
> >>>> "Don't go looking for trouble,
> >>>> it will find you soon enough."
> >>>>
> >>>> Unless you have a test environment that is off the web, please don't
> >>>> go opening up stange files...
> >>>>
> >>>
> >>>Indeed.
> >>>
> >>>Looking at this again, you probably want to test using the
> >>>eicar test file,
> >>>http://www.eicar.org/anti_virus_test_file.htm. It's a harmless
> >>>text file that all AV software detecta as a virus.
> >>>
> >>>No I won't send it to you - my mail server probably wouldn't
> >>>let it through!
> >>
> >>i know this virus.
> >>i fact, my virus scan detect all viruses except this one which
> >>is in a password protected zip file.
> >>
> >>NAI's product based on microsoft servers can detect him.
> >>
> >>I try to ask NAI directly, as i read here...
> >>
> >>>
> >>>Tom.
> >>>
> >>
> >>thanks,
> >>Andrew
> >>
>
> Is it not well known that the virus scanners are not able to
> detect this virus
> precisely because it is in a password protected zip file? The
> Virus SWAT team
> at my job posed this very issue when announcing the virus to
> employees. The
> team instructed employees to delete the e-mail, or forward it to
> the team for
> analysis. The password is supposed to be included in the body of
> the e-mail,
> which you're supposed to open yourself so the virus can then do
> it's thing. The
> whole purpose, I gather, for putting the virus in the zip file
> was to avoid
> detection by the scanners. I was not aware that NAI had the
> ability to detect
> the visurs on Windows servers.

Has anyone here tried the possible method I mentioned in an earlier post?

"Okay, how to get round this?

Possibly tell your scanner to reject .zip files containing
files with extension .exe+. .com+ etc etc.

I haven't actually received a single one of these .zip files,
but the above tip was one I saw on the NTBugTraq list which
apparently works with Norton Anti-Virus for Exchange V2.1. I
imagine amavis/clamAV would be able to be configured this way."

Tom.



< Previous Next >
Follow Ups
References