unzip

Matthias Borrack mailingliste at sinath.de
Thu Mar 4 09:39:16 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael Weber wrote:
> Andere Idee: Die hier eingelaufenen ZIPs haben alle eine Ratio von 0% -
> sind also nur "stored" - kann das jemand für die "bagle.j" Varianten
> bestätigen?
>

Mitnichten ....

Auf der focus-virus at securityfocus.com läuft gerade ein Thread
hinsichtlich des Bagle

- ---8<---
Nope - had to quarantine all incoming .zip files and drop all incoming
encrypted archives (ideally I would quarantine all encrypted archives - but
mimedefang doesn't check for encryption and SAVIEG doesn't let you
quarantine archives)
- --->8---

- ---8<---
There are some vendors who flag the password protected Bagle samples.
NAI flags any passwordprotected archive around 20KB.(with some other
criteria)
But as the content doesn't really get scanned, there's a real chance it will
give false positives.

Kaspersky Lab has made something really clever for this.(Method isn't
completely perfected though)
When it scans an email which has bagle like characteristics, it will find
the password, using it to extract the contents of the pwp archive, that way
the pwp archive will actually really get scanned to check if it's malware,
reducing the chance of a false positive to(almost)none.

This way you won't have to block ziparchives.
==
Kind regards, Roel Schouwenberg
- --->8---



cu/2 iae
Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFARvlEWTMfCbz57ScRAuXvAJ9Lr14VU9nkRrG1wWsVeoeO18sVOQCfRBE+
MLy/ZB1Gt16FjzlEXgLig3k=
=v2Mn
-----END PGP SIGNATURE-----





More information about the Fedora-de-list mailing list