lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1107679329.24788.64.camel@localhost.localdomain>
From: barrie at reboot-robot.net (Barrie Dempster)
Subject: Multiple AV Vendors ignoring tar.gz archives

On Sun, 2005-02-06 at 11:15 +1300, Nick FitzGerald wrote: (a very well
worded reply)

However your reply seemed to focus on the desktop client as if that was
my primary focus. I know that results on virustotal use desktop
scanners, but I used it to gain an indication of how scanners in general
handle the files. The real point is the gateway, which you agree with me
on.

As I stated.
"The point being in order to ensure your email scanning solution is
performing adequately check that it does indeed scan archives other than
plain zip files."

I really should have installed multiple email gateways and tested them,
but to be honest it was more work than was worth doing on something that
is relatively trivial, but still an issue that may need to be addressed.


When it comes to desktop scanners, most of them have a deep scan option,
in my opinion the deep scan should indeed scan archives other than the
most common otherwise it's redundant code. I personally don't want to
trust one part of the scanning engine on the desktop for protection,
there are multiple reasons that can fail.

Files should be scanned at the gateway, at the workstations and at the
file-server. If your network relies on the "on access" scan only, you
are risking network integrity on a single point of failure, desktop on
access scanner fails and you are infected. The AV companies obviously
agree with me that's why they have gateway, on-access and sweep scans.
if you check their websites or install instructions they invariably
instruct you to schedule a scan AND run the on-access scanner. Also half
the products on virustotal do infact have tar.gz capability in their
products so I'm not alone in my belief that this should be supported.
On-Access isn't a single solution to the problem, although it's a very
good _last line of defense_.

I do agree with your feature bloat argument, finding the balance between
good functionality and bloat to the point of instability is not often
easy. However most virus companies agree they should scan files in all
formats they've seen viruses in and they do offer deep scanning, the
deep scan should err.... scan deep.

Thanks for your reply Nick your points are indeed all valid arguments
against uncommon archive support in desktop scanners. I still believe
however that support for these formats could become necessary and should
be in AV products at all checkpoints.

I don't believe in belt and braces. Belt, braces and super glue at the
bare minimum :-P


-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050206/a044670b/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ