> From: Vittal Aithal [mailto:vittal.aithalat_private-GLOBAL.COM] > Sent: Tuesday, April 17, 2001 4:11 AM > To: BUGTRAQat_private > A possible workaround is to add a pattern match in your desktop anti-virus > software to pick up on such extensions. For instance, adding > {????????-????-????-????-????????????} as an executable extension in > Sophos Anti-Virus 3.43 scans such files. Confirmed (using the EICAR test string) that adding the extension "{?*" to the program file extension list in Symantec Norton Antivirus 5.00.01C running on Win95 causes it to scan files with class ID extensions. (NAV 5.0 only allows three characters in the extension list, but I expect most people don't have very many files with extensions that begin with "{" anyway, so scanning them shouldn't be a problem.) I also noted in passing that NAV 5.0 apparently does not have HTA in the extension list, so add that one while you're at it. NAV may not detect any known HTA-carried malware yet, but I assume it's possible to use HTA to transport various payloads, and it is an executable type after all. I suspect we're approaching the point where it makes no sense to have an executable extension list anyway, and desktop antivirus products will just scan all files. Michael Wojcik michael.wojcikat_private MERANT Department of English, Miami University
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 23:54:48 PDT