Re: Antivirus/Trojan/Spyware scanners DoS [summary]

[npguy <npguy () websurfer com np>]

> I believe further research should be don't to confirm,
>
> *ClamAV version 0.07, 0.72
> *eTrust InoculateIT version 6.0

you donot have complete picture and you incomplete research is 
just making everyone confused. i better like to take reference
from the old advisory that gives atleast clear background 

http://www.rapid7.com/advisories/R7-0004/index.html


about calm  check  "manager.c" of clam 0.15

    242     if(strbcasestr(filename, ".zip")) {
    243         char *args[] = { "unzip", "-P", "clam", "-o", (char *) 
filename, NULL };
    244         if((userprg = getargl(opt, "unzip")))
    245             ret = clamav_unpack(userprg, args, tmpdir, user, opt);
    246         else
    247             ret = clamav_unpack("unzip", args, tmpdir, user, opt);


clam use unzip utility outside its process space. if unzip itself is 
vulnerable (not in case of linux) then clam may face similar problem

Fprot is perfect! 

On Tuesday 15 June 2004 08:43 pm, Bipin Gautam wrote:
> In-Reply-To: <20040614003349.4049.qmail () www securityfocus com>
>
>
> *F-Prot 4.4.2 for Linux did took considerable amount of time  [avg: 90
> seconds] while scanning the file, there have been conflicting report...
> whether or not,  F-Prot is vulnerable. But, a compressed archive can be
> crafted in a way so that F-Prot will take about an hour to scan....
>
>
>     Are vulnerable.
>
> Please Note: This is just a simple proof of concept, smaller acrhives >
> 10kb can be created that contain a terabyte of data...