[Esd-l] RE: How is a password protected zip file handled?
Agostini yves
agostini at univ-metz.fr
Wed Mar 3 02:00:41 PST 2004
More over, I think that A/V software can not scan encrypted or password
protected zip files ... unzip or Archive::Zip can read the list of
filenames and the sanitizer use this filenames.
Le mer 03/03/2004 ` 00:27, Smart,Dan a icrit :
> Do I need to add the + sign to my zip_poisoned list?
>
> See following Email:
> ============================================================================
> ====
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM] On Behalf Of Michael_Maloney
> Sent: Tuesday, March 02, 2004 3:27 PM
> To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
> Subject: Password protected ZIP files and Email worms
>
>
> With the release of Beagle.H and Beagle.I, virus writers started enclosing
> the infected files within password protected ZIP files. This negated the
> ability of A/V software to view the enclosed file within.
>
> I've found that the A/V software does see the file within the ZIP archive,
> but cannot process it because it does not recognize the extension. When the
> archive is password protected, the file enclosed receives a "+" character at
> the end of the extension (ie test.exe becomes test.exe+) Since the A/V
> software doesn't recognize that kind of extension, it lets it pass thru.
>
> I found that by adding the "+" character to file extensions that are blocked
> (.exe+, .cmd+, .vbs+ etc etc), the A/V software can now recognize that file
> extension and perform the necessary actions on it.
>
> I've only tested this out on Norton Anti-Virus for Exchange V2.1, but it
> should work on the other A/V software programs.
>
--
Agostini yves <agostini at univ-metz.fr>
More information about the esd-l
mailing list