Its not a bug, its by design. For no other reason than that of speed the On Access Scanner will only look one level deep. If you were to scan using the On Demand Scanner then this will examine the file completely. I cannot comment on the 'Hotmail' concern, it may be one of implementation. Sincerely, Lee Fisher Global Best Practices Team AntiVirus and Information Security Specialist Member of the AVERT For McAfee/Dr Solomon's Anti Virus Technologies PGP FingerPrint:7323 57AD D0E5 97E4 D173 E6F9 341F BA79 760A 3DFC -----Original Message----- From: Michel Arboi [mailto:arboiat_private] Sent: 19 June 2001 22:53 To: VULN-DEVat_private Subject: Bugs in Mac Afee AV? [Re: Antivirus scanner DoS with zip archives] Still playing with those crazy Zip archives, I tried to DoS "NetShield" on out NT file server. It failed! NetShield does not "recurse" into Zip archives, it only looks at the first level. This means that it is immune to this stupid DoS attack, but malicious code may be burried under two levels of archiving. I am not sure this should be called a "bug", as this tool only protects (?) file transfers from/to a server. The workstation should run another software protection. **** I then decided to look at Hotmail, as I know they use Mac Afee to check the attachments before downloading. I sent three e-mails with the Eicar.com test file (no! I did not attempt to DoS hotmail :) I attached eicar.com to the 1st one, eicar.zip (which just contained eicar.com) to the 2nd, and eicar2.zip (which contained eicar.zip) to the 3rd. Mac Afee detected the test "virus" but the behaviour was strange: Hotmail said that the 1st and 2nd messages could not be cleaned and blocked the download, but it accepted to "clean" the 3rd one. When eicar2.zip arrived on my hard drived, the archives were intact and the test virus was still here. If some user trusts the "cleaning process" by Hotmail, sending him a virus is very easy. Once again, the workstation should be protected. IIRC, Yahoo Mail used to provided some AV scanning (Norton?) but it seems they stopped now (or they refuse to recognize the EICAR test string) ******** I should probably contact Mac Afee, but I bet they are not the only antivirus editor that have big problems with those "recursive" archives. Maybe that's only a configuration problem too... The choice may be: either weak protection or easy denial of service with 42.zip :-\ After all, scanning archives when you transmit them looks like a bad idea. Note that using some kind of unknown archive (most Windows AV cannot open bzip2), or enciphering the archive will also defeat the detection. ___________________________________________________________ Do You Yahoo!? -- Pour faire vos courses sur le Net, Yahoo! Shopping : http://fr.shopping.yahoo.com
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 08:54:21 PDT