Hotmail antivirus still does not clean recursive archives

[Michel Arboi <arboi () yahoo com>]

[this post was rejected on Bugtraq. I just sent this to Hotmail through
the "Contact us" page, but I am not sure it will ever reach the right
person]

I signaled this some months ago on VULN-DEV, and it is not fixed yet.
The test:
- create the "A.zip" archive with eicar.com (or a real nasty code) in
it.
- create "B.zip" with "A.zip" in it.

Send both to some Hotmail account.
Try to download A.zip. Mc Afee will tell you that it contains a virus
and must be cleaned. The download fails because "there is no cure
available for the virus on the file A.zip " (cleaning a test file does
not make much sense :)
You were warned: "Not all viruses can be cured. Your file will not be
downloaded unless a cure is successful."

Now try to download B.zip. The download will succeed and Mc Afee says
that the file was cleaned. However, the "double" archives still
contains eicar.
I tried by Magister, BTW, and I got the same behaviour.

Note that the user has to launch the virus/worm/whatever. However, if
you create self extractor archives, this works too: A.exe is blocked,
B.exe is _supposed_ to be cleaned. If you run B.exe, it can run
automatically A.exe which can run the virus.

IMHO, a wrong feeling of security is worse than no security at all.

AFAIK, this is not a bug in McAfee, but in its implementation at
Hotmail.
On the same "double" archive, Yahoo sent an odd error message but did
not say it was cleaned.


___________________________________________________________
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Courrier : http://courrier.yahoo.fr