On Mon, 25 Feb 2002, Eduardo R. Maciel wrote: > The most of virus scanners look inside compressed files. There are > still several viruses that are not "email contamination" specific. So > I believe that it's not wrong to look inside compressed archives, BUT > it should check the size of files inside the compressed archive > before. In general, you cannot check the size of compressed files without uncompressing. For example, with a tar.gz, you have to uncompress the whole thing. Limiting the size you scan could also allow viruses to escape undetected, viz: (cat small_x86_code; \ dd if=/dev/zero bs=1k count=10k; \ cat viral_payload) | gzip -9 > file.gz I assume that small_x86_code contains an .exe header plus code to jump past the 10Meg of zeros. So because you can get around scanners which limit the size of the scan, and you can DoS scanners which do not limit the size, you might as well not bother scanning compressed or archived files at all, except under manual control. -- David.
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 16:55:57 PST