Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives]

From: Michel Arboi (arboiat_private)
Date: Tue Jun 19 2001 - 14:52:35 PDT

Next message: Dale Martin: "Re: FW: Antivirus scanner DoS with zip archives"

Previous message: Michel Arboi: "Re: Antivirus scanner DoS with zip archives"
In reply to: Michel Arboi: "Antivirus scanner DoS with zip archives"
Next in thread: Nicolas Gregoire: "Re: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives]"
Next in thread: Dale Martin: "Re: FW: Antivirus scanner DoS with zip archives"
Reply: Nicolas Gregoire: "Re: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives]"
Reply: Jason R. Seats: "Re: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Still playing with those crazy Zip archives, I tried to DoS "NetShield"
on out NT file server.
It failed! NetShield does not "recurse" into Zip archives, it only
looks at the first level.
This means that it is immune to this stupid DoS attack, but malicious
code may be burried under two levels of archiving.
I am not sure this should be called a "bug", as this tool only protects
(?) file transfers from/to a server. The workstation should run another
software protection.

    ****

I then decided to look at Hotmail, as I know they use Mac Afee to check
the attachments before downloading.
I sent three e-mails with the Eicar.com test file (no! I did not
attempt to DoS hotmail :)
I attached eicar.com to the 1st one, eicar.zip (which just contained
eicar.com) to the 2nd, and eicar2.zip (which contained eicar.zip) to
the 3rd.
Mac Afee detected the test "virus" but the behaviour was strange:
Hotmail said that the 1st and 2nd messages could not be cleaned and
blocked the download, but it accepted to "clean" the 3rd one.
When eicar2.zip arrived on my hard drived, the archives were intact and
the test virus was still here.

If some user trusts the "cleaning process" by Hotmail, sending him a
virus is very easy. Once again, the workstation should be protected.

IIRC, Yahoo Mail used to provided some AV scanning (Norton?) but it
seems they stopped now (or they refuse to recognize the EICAR test
string)

        ********

I should probably contact Mac Afee, but I bet they are not the only
antivirus editor that have big problems with those "recursive"
archives. 
Maybe that's only a configuration problem too...
The choice may be: either weak protection or easy denial of service
with 42.zip :-\
After all, scanning archives when you transmit them looks like a bad
idea.
Note that using some kind of unknown archive (most Windows AV cannot
open bzip2), or enciphering the archive will also defeat the detection.



___________________________________________________________
Do You Yahoo!? -- Pour faire vos courses sur le Net, 
Yahoo! Shopping : http://fr.shopping.yahoo.com

Next message: Dale Martin: "Re: FW: Antivirus scanner DoS with zip archives"
Previous message: Michel Arboi: "Re: Antivirus scanner DoS with zip archives"
In reply to: Michel Arboi: "Antivirus scanner DoS with zip archives"
Next in thread: Nicolas Gregoire: "Re: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives]"
Next in thread: Dale Martin: "Re: FW: Antivirus scanner DoS with zip archives"
Reply: Nicolas Gregoire: "Re: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives]"
Reply: Jason R. Seats: "Re: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 06:44:45 PDT