Re: .zip files putting the zap on antivirus products

[InfoSec News <isn () c4i org>]

Forwarded from: Russell Coker <russell () coker com au>

On Thu, 12 Feb 2004 23:44, InfoSec News <isn () c4i org> wrote:
> Forwarded from: Cuadros Alvaro <acuadros () bancomercantil com bo>
>
> I woudn't consider that as a serious problem, Zipping ( Commpressing
> ) a file has its limits you can not compress beyond what the
> compression algorithms allow you to. Just try to zip or rar a file
> 20 times , the result is going to be the same at the end than the
> one you had in the third round.

It is a serious problem.  Files comprised of only zeros compress
really well.  The compression ratio is determined by the block size
for run length compression and the size of the encoded blocks.  A
quick test with gzip (which AFAIK implements similar algorithms to
zip) compressed 100M of zeros to just under 100K (better than 1024:1
compression).

For business email 5M-10M attachments are common, such attachments
would permit 5G or 10G of compressed data.  Many virus scanners don't
have 10G of disk space free.  Also most virus scanners are configured
to scan messages in parallel, so if 50 messages with 10G of compressed
data were sent through at the same time it will probably stop any
anti-virus system.

I also did a test of bzip2 compression, it compressed 100M of zeros to
120 bytes...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.