Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: AW: [suse-security] NAI on unix do not find actual virus
From: Dana Hudes (dhudestcp-ip.info)
Date: Thu Mar 11 2004 - 20:26:21 CST
Seems to me that while the method of executing in a controlled/simulated
environment wouldn't work that once its known what the virus is you just
check for the bitpattern like anything else. If you use enough bits
its highly unlikely to match any other file, encrypted or otherwise.
On Thu, 11 Mar 2004 suserio.vg wrote:
> Quoting Tom Knight <thomas.knightahds.ac.uk>:
> > Has anyone here tried the possible method I mentioned in an earlier post?
> > "Okay, how to get round this?
> > Possibly tell your scanner to reject .zip files containing
> > files with extension .exe+. .com+ etc etc.
> > I haven't actually received a single one of these .zip files,
> > but the above tip was one I saw on the NTBugTraq list which
> > apparently works with Norton Anti-Virus for Exchange V2.1. I
> > imagine amavis/clamAV would be able to be configured this way."
> And how would the scanner know what files were in the *ENCRYPTED* zip? That's
> the whole problem with worms hidden in encrypted zips. If the scanner could
> open them to see what files were there, it would just scan the files normally.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here