Danny,
Imagine a .EXE/.COM program that was infected, but didn't carry the actual
payload. The payload is in a separate image attachment, hoping to sneak
through. The anti-virus scan doesn't see the signature in the executable,
doesn't scan the image, the virus boot then loads the payload from the image
(don't you hate untrusted code being able to mark pages executable?), and
the virus is activated.
I would check MIME type, file extension, and most importantly the magic, to
make sure that they all match. Any failure to match would be suspect,
regardless of what the A/V program says. I think you misunderstood my
earlier point. In fairness, it wasn't clear as I had stated it.
--- Noel
-----Original Message-----
From: Danny Angus [mailto:[EMAIL PROTECTED]
Sent: Saturday, June 21, 2003 11:31
To: James Users List
Subject: RE: Matchers & X Window
As this is Vincezo's code and not James' this rant is just my 2c..
I'm not sure that omitting to scan *any* part is a good idea.
I know this isn't apache software, but if it was I'd veto introducing any
security loophole based on hearsay or speculation and not published
research.
Unless you guys know a lot more than me about virus detection I don't see
how you can confidently predict what might be carrying a dangerous payload,
just because it looks tastes and smells like an image doesn't mean that it
is.
Isn't that the virus writers idea to slip a payload through your security
masquerading as innocent data. Just because *we* can't see what
harm it would cause doesn't mean that it really is benign. Surely the reason
why virus detection co's recommends you regularly scan everything, Norton AV
scans gifs on my hd.
I don't pretend to know much about it but you don't have to speculate much
either to work out what would happen if binary data could be slipped through
in mail as a .gif and somehow activated by some other exploit.
If there are issues with certain mime types then that is a bug that needs
fixed for security reasons, and not something we should even consider
working around if it is going to produce a loophole, however small, in the
AV scanning.
As far as I can make out it is the attitude in resolving conflict that
functionality is more important than security which gives M$ such a hard
time.
I urge caution.
d.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
