[24428] in bugtraq
Re: Anti Virus Mailscanners DOS
daemon@ATHENA.MIT.EDU (David F. Skoll)
Tue Feb 26 19:57:53 2002
Date: Mon, 25 Feb 2002 19:16:53 -0500 (EST)
From: "David F. Skoll" <dfs@roaringpenguin.com>
To: "Eduardo R. Maciel" <maciel@inetd.com.br>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20020225210414.13bbfe30.maciel@inetd.com.br>
Message-ID: <Pine.LNX.4.44.0202251913170.1121-100000@shishi.roaringpenguin.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Mon, 25 Feb 2002, Eduardo R. Maciel wrote:
> The most of virus scanners look inside compressed files. There are
> still several viruses that are not "email contamination" specific. So
> I believe that it's not wrong to look inside compressed archives, BUT
> it should check the size of files inside the compressed archive
> before.
In general, you cannot check the size of compressed files without
uncompressing. For example, with a tar.gz, you have to uncompress
the whole thing.
Limiting the size you scan could also allow viruses to escape
undetected, viz:
(cat small_x86_code; \
dd if=/dev/zero bs=1k count=10k; \
cat viral_payload) | gzip -9 > file.gz
I assume that small_x86_code contains an .exe header plus code to jump
past the 10Meg of zeros.
So because you can get around scanners which limit the size of the
scan, and you can DoS scanners which do not limit the size, you might
as well not bother scanning compressed or archived files at all, except
under manual control.
--
David.
