procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: softlabs

2004-03-04 05:37:53
from [Professional Software Engineering] [Permanent Link] 
At 10:46 2004-03-04 +0100, Robert Allerstorfer wrote:

it seems some still don't understand me. As explained before, I have
written the procmail AV filter for use, of course, on Unix, in the
purpose to isolate viruses for windows.
You need to discreetly extinguish that thing you're smoking and re-read my post. Absolutely NOWHERE in it did I may any reference to what platform your stuff was running on (though being procmail-invoked, it seems rather likely that it'd be on *nix), or that somehow I was under the mistaken impression that your filter failed to match several encrypted files.
I have only *tested* how a common AV program would be in sync to the results my Unix tool gave. Of course, this can only be done on the target platform, so on Windows.
Yea, and the point was that you were claiming that some "unnamed" app didn't isolate these. No need to NOT name it - go ahead, it's useful information for anyone wanting to check the data for themselves. While you're at it, you might identify the version/date of the virus definitions used. 


And, what is intersting for me is, that the Windows AV program did NOT
find the viruses my tool DID on Unix, OK?


When did I even so much as imply otherwise?  OK?


> Uhm, if they were encrypted zipfiles, how'd you pull off that trick?  Or is
> it static?

Why not just having a look inside it? All the files can be browsed
directly online.
I searched your posts to obtain a URL. The first one you posted, at the end of January (a hair over a month ago), 

        http://softlabs.at/_tmp/Mydoom-Virus.zip
doesn't answer requests. Even the base domain. Tack a www in front of the base domain, and something is there, but not your stuff.
A month later, you've posted a different domain entirely (with some irony, I note that it is under a tld which someone was just today suggested should be vaporised as spam): 

        http://www.softlabs.info/antivirus/
Well, I looked, and saw no comments regarding encryption, which leads me to believe that the flagging is simply based on the fact that the zip contains an EXE (from the directory), not that it is recognized as malware. Further, the code I saw (at least as I interpreted it), seems to have _zero_ effect for dealing with zips containing html which contains HTTP content-type headers to cause flaky browsers to reinterpret as an executable.
No offence, but it seems suspiciously like your script "identifies" these files as infected merely because they contain executables, not because they are actually _infected_ executables.
Of course, perhaps I missed something - but that's why I asked how it is you're actually dealing with encrypted files. Pointing me to your code provides no additional insight on the encryption question.
I'm sort of wondering why not produce MD5 sums of suspect files (content, not the ZIP itself). Or, to permit reaching into ZIPs (even if encrypted), use CRC32 and size data. 

This data could very easily be propogated via a DNSBL zone.
- Sean (quite happy the procmail list isn't reflected to google groups, or we'd all be getting even more spam as a result) 

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: softlabs, Professional Software Engineering
Next by Date:  Re: chomp command, Christopher Benson
Previous by Thread:  Re: softlabs, Robert Allerstorfer
Next by Thread:  Re: softlabs, Robert Allerstorfer
Indexes:  [Date] [Thread] [Top] [All Lists]