OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Paul Rogers (paul.rogersmis-cds.com)
Date: Fri Jul 13 2001 - 05:40:48 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Apologies for not posting this sooner, but I have been extremely
    busy.

    Your comment regarding MAIL/MIMESweeper is indeed correct. The 42.zip
    file (mentioned later on in the thread) consumed all available
    resources on MAILSweeper version 4.2.1 (CPU, memory and free hard
    disk space). In fact it took a while for us to remove all presence of
    the mail from the system.

    I also tested the 42.zip file on Sophos AV (version 3.4.6 on Windows
    2000) and F-Secure AV 5.02 and 5.21 (both on NT4). Sophos handled the
    file ok and scanned it happily without consuming extreme amounts of
    resources; disk space, CPU and memory usage was not affected in a
    drastic way.

    However when tested on F-Secure, CPU resources were 100% utilised and
    the system began responding slower and slower to keypresses, mouse
    clicks, etc... as well as hard disk space being consumed. The
    processes could not be killed from Task Manager on NT4 / Windows 2000
    and the system became unusable so a reboot was in order.

    I have contacted F-Secure but they are still unable to confirm
    whether the number of levels (archive within an archive within an
    archive...) can be reduced. They assure the feature is present in
    F-Secure AV for Firewalls version 6.

    Due to time constraints and my full calendar, I have been unable to
    test this any further on a range of other systems.

    Cheers,

    Paul Rogers,
    Network Security Analyst.

    MIS Corporate Defence Solutions Limited

    Tel: +44 (0)1622 723422 (Direct Line)
                    +44 (0)1622 723400 (Switchboard)
    Fax: +44 (0)1622 728580
    Website: http://www.mis-cds.com/

    > -----Original Message-----
    > From: Michel Arboi [mailto:arboiyahoo.com]
    > Sent: 17 June 2001 23:11
    > To: VULN-DEVsecurityfocus.com
    > Subject: Antivirus scanner DoS with zip archives
    >
    ** Mail snipped **

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.3

    iQA/AwUBO07RxrnKcoQ5QY/3EQIpSQCeKfu7aPYbIQdN99B+FBzmU5ZcN+AAoMjf
    yym1Yo21/G/hn4KvIWkKEAvy
    =P2R6
    -----END PGP SIGNATURE-----