Vulnerability Development mailing list archives

RE: Antivirus scanner DoS with zip archives

From: Paul Rogers <paul.rogers () mis-cds com>
Date: Fri, 13 Jul 2001 11:40:48 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Apologies for not posting this sooner, but I have been extremely
busy.

Your comment regarding MAIL/MIMESweeper is indeed correct. The 42.zip
file (mentioned later on in the thread) consumed all available
resources on MAILSweeper version 4.2.1 (CPU, memory and free hard
disk space). In fact it took a while for us to remove all presence of
the mail from the system.

I also tested the 42.zip file on Sophos AV (version 3.4.6 on Windows
2000) and F-Secure AV 5.02 and 5.21 (both on NT4). Sophos handled the
file ok and scanned it happily without consuming extreme amounts of
resources; disk space, CPU and memory usage was not affected in a
drastic way.

However when tested on F-Secure, CPU resources were 100% utilised and
the system began responding slower and slower to keypresses, mouse
clicks, etc... as well as hard disk space being consumed. The
processes could not be killed from Task Manager on NT4 / Windows 2000
and the system became unusable so a reboot was in order.

I have contacted F-Secure but they are still unable to confirm
whether the number of levels (archive within an archive within an
archive...) can be reduced. They assure the feature is present in
F-Secure AV for Firewalls version 6.

Due to time constraints and my full calendar, I have been unable to
test this any further on a range of other systems.

Cheers,

Paul Rogers,
Network Security Analyst.

MIS Corporate Defence Solutions Limited

Tel:            +44 (0)1622 723422 (Direct Line)
                +44 (0)1622 723400 (Switchboard)
Fax:            +44 (0)1622 728580 
Website:        http://www.mis-cds.com/

-----Original Message-----
From: Michel Arboi [mailto:arboi () yahoo com]
Sent: 17 June 2001 23:11
To: VULN-DEV () securityfocus com
Subject: Antivirus scanner DoS with zip archives

** Mail snipped ** 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBO07RxrnKcoQ5QY/3EQIpSQCeKfu7aPYbIQdN99B+FBzmU5ZcN+AAoMjf
yym1Yo21/G/hn4KvIWkKEAvy
=P2R6
-----END PGP SIGNATURE-----

Current thread:

Re: Antivirus scanner DoS with zip archives Nicolas Gregoire (Jul 12)
- Re: Antivirus scanner DoS with zip archives BlueBoar (Jul 13)
- <Possible follow-ups>
- RE: Antivirus scanner DoS with zip archives Paul Rogers (Jul 13)
  - R: Antivirus scanner DoS with zip archives Stefano Zanero (Jul 16)
- RE: Antivirus scanner DoS with zip archives Paul Rogers (Jul 13)
  - Re: Antivirus scanner DoS with zip archives Volker Tanger (Jul 19)