> It gives nothing as copies of Worm.Bagle.H (and previous variants also)
> vary in their contents and even sizes. So checksums are different.
We have started to see this as well -- we only caught a few w/ the
hard-coded crc hack. This is not perfect either and it falls in line with
one gentleman's procmail filter. Still, this may help some users. We
have updated our virus filter to look something like this:
if ((stat($file))[7] < 100000) # filesize
{
if (!open(UNZIP, "-|"))
{
close(STDERR);
open(STDERR, ">&STDOUT");
exec("/usr/bin/unzip", '-t', '-P', '', $file);
}
while (<UNZIP>)
{
if (/incorrect password/)
{
close(UNZIP);
print "Found the w32nsc/crypt-zip.gen virus !!!\n";
found_virus();
}
}
close(UNZIP);
}
We are /hoping/ that virus .zip's are <100k. If anyone sends a legitimate
message which is an encrypted zip that is <100k we still quarantine it if
the user need to have a copy and they are notified of the quarantine.
After a few tests, it does not appear that it will mark unpassworded zips
falsely since a zip w/o password and a zip w/ a password of '' appear to
be equivalent.
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062
http://www.nsci.us/
Voice: (503) 293-7656
Fax: (503) 885-0770
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
