Bugtraq mailing list archives

Re: Anti Virus Mailscanners DOS

From: "David F. Skoll" <dfs () roaringpenguin com>
Date: Mon, 25 Feb 2002 19:16:53 -0500 (EST)

On Mon, 25 Feb 2002, Eduardo R. Maciel wrote:

The most of virus scanners look inside compressed files. There are
still several viruses that are not "email contamination" specific. So
I believe that it's not wrong to look inside compressed archives, BUT
it should check the size of files inside the compressed archive
before.


In general, you cannot check the size of compressed files without
uncompressing.  For example, with a tar.gz, you have to uncompress
the whole thing.

Limiting the size you scan could also allow viruses to escape
undetected, viz:

(cat small_x86_code; \
 dd if=/dev/zero bs=1k count=10k; \
 cat viral_payload) | gzip -9 > file.gz

I assume that small_x86_code contains an .exe header plus code to jump
past the 10Meg of zeros.

So because you can get around scanners which limit the size of the
scan, and you can DoS scanners which do not limit the size, you might
as well not bother scanning compressed or archived files at all, except
under manual control.

--
David.

Current thread:

Anti Virus Mailscanners DOS Eduardo R. Maciel (Feb 26)
- Re: Anti Virus Mailscanners DOS Piotr Klaban (Feb 26)
- Re: Anti Virus Mailscanners DOS Jedi/Sector One (Feb 26)
- Re: Anti Virus Mailscanners DOS Martin Lesser (Feb 26)
- <Possible follow-ups>
- Re: Anti Virus Mailscanners DOS David F. Skoll (Feb 26)