Goran,
Viruses aren't going to recursively zip themselves multiple times because people aren't going to dig that deep, and most scanners can handle this regardless. I am not aware of decompression bombs being associated with recursively zipped files, but it appears that the release notes suggest that this can happen, maybe as a form of DOS against the scanner. Such a file shouldn't be dangerous to a client computer unless it's scanner will unzip an infinite number times within a file. I don't believe there is a reason to block exit code 10, though having this code makes sense so that failed scans can be logged with an approximation of the reasoning. It would be a shame though if they included standard decompression bomb hits in exit code 10, but the release notes don't seem to indicate that. I'm not aware of my server finding a decompression bomb in the wild, though the threat is real, and taking down a vulnerable server can be as simple as sending a single file.
The error code 9 has a chance of being useful depending on specifics. Most of us have Declude set to deliver errors in scanning, and I would think that the same reasoning would apply to not using error code 9. This also appears to trigger on encrypted archives, and that would interfere with Declude's functionality, and cause issues if you are using BANEXIPEXTS and don't want to block all encrypted archives, just ones that contain payloads. Triggering exit code 9 on damaged files might be highly indicative of corrupt viruses, but it could also trip on many different forms of corrupt data, and could cause false positives.
I wouldn't recommend adding these codes to Declude based on the release notes.
Matt
Goran Jovanovic wrote:
Hi All,
There are 2 new Exit Codes for FPCMD.EXE now (9 and 10).
Exit Code 9 indicates that something was unscannable for some sort of reason
Exit Code 10 indicates that the scanner reached the max depth in the /ARCHIVE=N option.
It seems that we should now be specifying:
VIRUSCODE1 3 VIRUSCODE1 6 VIRUSCODE1 9 VIRUSCODE1 10
Thought and comments?
From the release notes:
Archive handling has been improved and is now more consistent.
Version 3.16 also includes detection against so-called "archive
bombs", archives that are constructed in such a way that a seemingly innocent file will expand tremendously, consuming all
available memory and CPU on the computer. A part of this change
is that the scanners now only scan to a certain number of levels.
Of particular note is that the Command-Line Scanner (fpcmd.exe)
only scans by default to a depth of 5 levels. This can be changed
by using the command-line switch /ARCHIVE=N where N can be 1 through
99, or 0 for infinite. If the limit is exceeded then it will exit
with a new exit code 10 (some files were not scanned; in this case
because maximum archive level was reached). The OnDemand Scanner
scans an infinite number of levels by default but this behaviour
can be changed using the same command-line switch. The RealTime
Protector scans to a depth of one level by default.
Another new exit code has been added to the OnDemand Scanner and the Command-Line Scanner, exit code 9. This exit code indicates that some files were not scanned, e.g., encrypted files, because of unsupported/unknown compression methods, because of unsupported/unknown file formats, corrupted or invalid files.
Both exit code 9 and 10 indicate that some files were not scanned and, therefore, they can not be guaranteed to be clean. The difference between them is that if exit code 10 occurs then some settings can be changed (e.g., increase the maximum allowed archive depth) and the scanner might be able to scan the file. If, however, exit code 9 occurs then the scanner is not able to scan the file.
Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
