Vulnerability Development mailing list archives

Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives]

From: Michel Arboi <arboi () yahoo com>
Date: Tue, 19 Jun 2001 23:52:35 +0200 (CEST)

Still playing with those crazy Zip archives, I tried to DoS "NetShield"
on out NT file server.
It failed! NetShield does not "recurse" into Zip archives, it only
looks at the first level.
This means that it is immune to this stupid DoS attack, but malicious
code may be burried under two levels of archiving.
I am not sure this should be called a "bug", as this tool only protects
(?) file transfers from/to a server. The workstation should run another
software protection.

    ****

I then decided to look at Hotmail, as I know they use Mac Afee to check
the attachments before downloading.
I sent three e-mails with the Eicar.com test file (no! I did not
attempt to DoS hotmail :)
I attached eicar.com to the 1st one, eicar.zip (which just contained
eicar.com) to the 2nd, and eicar2.zip (which contained eicar.zip) to
the 3rd.
Mac Afee detected the test "virus" but the behaviour was strange:
Hotmail said that the 1st and 2nd messages could not be cleaned and
blocked the download, but it accepted to "clean" the 3rd one.
When eicar2.zip arrived on my hard drived, the archives were intact and
the test virus was still here.

If some user trusts the "cleaning process" by Hotmail, sending him a
virus is very easy. Once again, the workstation should be protected.

IIRC, Yahoo Mail used to provided some AV scanning (Norton?) but it
seems they stopped now (or they refuse to recognize the EICAR test
string)

        ********

I should probably contact Mac Afee, but I bet they are not the only
antivirus editor that have big problems with those "recursive"
archives. 
Maybe that's only a configuration problem too...
The choice may be: either weak protection or easy denial of service
with 42.zip :-\
After all, scanning archives when you transmit them looks like a bad
idea.
Note that using some kind of unknown archive (most Windows AV cannot
open bzip2), or enciphering the archive will also defeat the detection.



___________________________________________________________
Do You Yahoo!? -- Pour faire vos courses sur le Net, 
Yahoo! Shopping : http://fr.shopping.yahoo.com

Current thread:

Re: Antivirus scanner DoS with zip archives, (continued)
- - Re: Antivirus scanner DoS with zip archives Markus 'FvD' Weber (Jun 19)
    - Re: Antivirus scanner DoS with zip archives Michel Arboi (Jun 20)
    - Re: Antivirus scanner DoS with zip archives Robert Davidson Security (Jun 21)
    - Re: Antivirus scanner DoS with zip archives Aycan Irican (Jun 23)
    - Re: Antivirus scanner DoS with zip archives bill_weiss (Jun 24)
    - Re: Antivirus scanner DoS with zip archives Aycan Irican (Jun 24)
  - Re: Antivirus scanner DoS with zip archives Michel Arboi (Jun 19)
  - Re: Antivirus scanner DoS with zip archives Michel Arboi (Jun 21)
- Re: Antivirus scanner DoS with zip archives Nexus (Jun 18)
- Re: Antivirus scanner DoS with zip archives teo (Jun 20)
- Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives] Michel Arboi (Jun 20)
  - Re: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives] Nicolas Gregoire (Jun 21)
    - Re: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives] Michel Arboi (Jun 21)
  - Re: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives] Jason R. Seats (Jun 21)
    - Re: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives] Daniel Schrader (Jun 21)
- Re: FW: Antivirus scanner DoS with zip archives Dale Martin (Jun 20)
  - Re: FW: Antivirus scanner DoS with zip archives Daniel Schrader (Jun 21)
  - RE: FW: Antivirus scanner DoS with zip archives Dom De Vitto (Jun 21)
  - Re: FW: Antivirus scanner DoS with zip archives Michel Arboi (Jun 21)