Danny, Imagine a .EXE/.COM program that was infected, but didn't carry the actual payload. The payload is in a separate image attachment, hoping to sneak through. The anti-virus scan doesn't see the signature in the executable, doesn't scan the image, the virus boot then loads the payload from the image (don't you hate untrusted code being able to mark pages executable?), and the virus is activated.
I would check MIME type, file extension, and most importantly the magic, to make sure that they all match. Any failure to match would be suspect, regardless of what the A/V program says. I think you misunderstood my earlier point. In fairness, it wasn't clear as I had stated it. --- Noel -----Original Message----- From: Danny Angus [mailto:[EMAIL PROTECTED] Sent: Saturday, June 21, 2003 11:31 To: James Users List Subject: RE: Matchers & X Window As this is Vincezo's code and not James' this rant is just my 2c.. I'm not sure that omitting to scan *any* part is a good idea. I know this isn't apache software, but if it was I'd veto introducing any security loophole based on hearsay or speculation and not published research. Unless you guys know a lot more than me about virus detection I don't see how you can confidently predict what might be carrying a dangerous payload, just because it looks tastes and smells like an image doesn't mean that it is. Isn't that the virus writers idea to slip a payload through your security masquerading as innocent data. Just because *we* can't see what harm it would cause doesn't mean that it really is benign. Surely the reason why virus detection co's recommends you regularly scan everything, Norton AV scans gifs on my hd. I don't pretend to know much about it but you don't have to speculate much either to work out what would happen if binary data could be slipped through in mail as a .gif and somehow activated by some other exploit. If there are issues with certain mime types then that is a bug that needs fixed for security reasons, and not something we should even consider working around if it is going to produce a loophole, however small, in the AV scanning. As far as I can make out it is the attitude in resolving conflict that functionality is more important than security which gives M$ such a hard time. I urge caution. d. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]