Vulnerability Development mailing list archives
RE: Antivirus scanner DoS with zip archives
From: Paul Rogers <paul.rogers () mis-cds com>
Date: Fri, 13 Jul 2001 11:40:48 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apologies for not posting this sooner, but I have been extremely busy. Your comment regarding MAIL/MIMESweeper is indeed correct. The 42.zip file (mentioned later on in the thread) consumed all available resources on MAILSweeper version 4.2.1 (CPU, memory and free hard disk space). In fact it took a while for us to remove all presence of the mail from the system. I also tested the 42.zip file on Sophos AV (version 3.4.6 on Windows 2000) and F-Secure AV 5.02 and 5.21 (both on NT4). Sophos handled the file ok and scanned it happily without consuming extreme amounts of resources; disk space, CPU and memory usage was not affected in a drastic way. However when tested on F-Secure, CPU resources were 100% utilised and the system began responding slower and slower to keypresses, mouse clicks, etc... as well as hard disk space being consumed. The processes could not be killed from Task Manager on NT4 / Windows 2000 and the system became unusable so a reboot was in order. I have contacted F-Secure but they are still unable to confirm whether the number of levels (archive within an archive within an archive...) can be reduced. They assure the feature is present in F-Secure AV for Firewalls version 6. Due to time constraints and my full calendar, I have been unable to test this any further on a range of other systems. Cheers, Paul Rogers, Network Security Analyst. MIS Corporate Defence Solutions Limited Tel: +44 (0)1622 723422 (Direct Line) +44 (0)1622 723400 (Switchboard) Fax: +44 (0)1622 728580 Website: http://www.mis-cds.com/
-----Original Message----- From: Michel Arboi [mailto:arboi () yahoo com] Sent: 17 June 2001 23:11 To: VULN-DEV () securityfocus com Subject: Antivirus scanner DoS with zip archives
** Mail snipped ** -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQA/AwUBO07RxrnKcoQ5QY/3EQIpSQCeKfu7aPYbIQdN99B+FBzmU5ZcN+AAoMjf yym1Yo21/G/hn4KvIWkKEAvy =P2R6 -----END PGP SIGNATURE-----
Current thread:
- Re: Antivirus scanner DoS with zip archives Nicolas Gregoire (Jul 12)
- Re: Antivirus scanner DoS with zip archives BlueBoar (Jul 13)
- <Possible follow-ups>
- RE: Antivirus scanner DoS with zip archives Paul Rogers (Jul 13)
- R: Antivirus scanner DoS with zip archives Stefano Zanero (Jul 16)
- RE: Antivirus scanner DoS with zip archives Paul Rogers (Jul 13)
- Re: Antivirus scanner DoS with zip archives Volker Tanger (Jul 19)