Re: IC TC5504P
- From: Franc Zabkar <fzabkar@xxxxxxxxxxxxxxxx>
- Date: Sun, 31 Jul 2005 18:43:53 +1000
On Sat, 30 Jul 2005 22:37:12 -0700, "Watson A.Name - \"Watt Sun, the
Dark Remover\"" <NOSPAM@xxxxxxxxxxxxxx> put finger to keyboard and
composed:
>
>"Franc Zabkar" <fzabkar@xxxxxxxxxxxxxxxx> wrote in message
>news:4f6oe1dniiar6u7m06po9rk544nos15k4q@xxxxxxxxxx
>> On Tue, 26 Jul 2005 01:54:27 -0700, "Watson A.Name - \"Watt Sun, the
>> Dark Remover\"" <NOSPAM@xxxxxxxxxxxxxx> put finger to keyboard and
>> composed:
>> >No offense, but I wouldn't download a .zip because it could be
>infected
>> >with a virus. Sorry, but that's the reality of today's nasty
>malware.
>>
>> Can you show me one antivirus program that is unable to detect malware
>> in .zip archives?
>At work we use Antigen, and it _removes_any_ .ZIP, sticks a text file in
>the that says it's removed to protect against viruses.
Is this the one?
http://www.sybari.com/DesktopDefault.aspx?Alias=Rainbow&TabId=3361&Lang=en-US
If so, then the FAQ would suggest that your sys admin is somewhat
paranoid:
===================================================================
Q: I read that attacks can be carried out against antivirus software
by nesting a large number of zipped files. Does Antigen allow the
Administrator to decide how many nested compressed files will be
scanned?
A: Yes. Administrators can set the number of allowed nested zipped
files. If this number is exceeded, Antigen will delete the file and
save a backup copy in the Incidents and Quarantine Database. See
"MaxNestedCompressedFile" in the General Options section of the User
Guide for more information on this feature.
Q: Can Antigen scan password protected Zip files?
A: No. Antigen cannot access password protected or encrypted file.
However, there is a feature that will allow password protected Zip
files to be deleted by Antigen.
===================================================================
>People started
>finding it was futile to send others a .ZIP thru the email. So that's
>probably one good reason why the .ZIP has fallen out of favor.
With respect, asking people to refrain from using ZIPs is like asking
the mountain to come to Mohammed.
>Oh, BTW, _every_ antivirus program can't detect a _new_ virus, in or out
>of a .ZIP, when it first comes out. Takes an update of the signature
>file before it can detect it (we've BTDT, GTTS). Is this because the
>antivirus prog makers don't want to lose their cash cow by making a
>detector that they don't have to update? I thought that some detectors
>were "holistic", could detect many variants of a virus. Just not all
>variants...
I'm prepared to accept that a bulletproof holistic approach to unknown
viruses is probably unachievable. However, I have a problem with any
antivirus product that fails to detect a *known* virus, or a known
variant. AFAIK, Kaspersky Labs produce the only product that
consistently scores 100% in this regard.
As for hiding viruses in archives, the most effective way would be to
avoid known archive types such as ZIPs. Instead, an intelligent
attacker could use one of many alternative self-extracting compression
formats specifically developed for the purpose. In fact, some AV
software doesn't even scan known archives. For example, Grisoft's AVG
ignores LZH files. One possible defence against these types of attacks
is to execute unknown software in a "sandbox". Finjan is one product
that does this.
- Franc Zabkar
--
Please remove one 's' from my address when replying by email.
.
- References:
- Re: IC TC5504P
- From: Franc Zabkar
- Re: IC TC5504P
- From: Watson A.Name - \"Watt Sun, the Dark Remover\"
- Re: IC TC5504P
- Prev by Date: Re: Looking for knobs for HP3582A Spectrum Analyzer
- Next by Date: Re: Motorola Memory Selector and X-Ref Guide 1986
- Previous by thread: Re: IC TC5504P
- Next by thread: Re: IC TC5504P
- Index(es):
Relevant Pages
|
