BANEXT rar has been working great for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Thursday, April 26, 2007 11:36 PM To: [email protected] Subject: [Declude.Virus] More info about encrypted RAR virus and Declude failures
I have downloaded a copy of the virus and inspected it. The file is a functional encrypted RAR with an EXE inside of the same file name. I also researched why Declude might not be catching this and I believe that I know why. Declude will properly detect an executable within a RAR file and the fact that the file is encrypted. I verified this with my own test on a file that I encrypted. The problem however is the fact that you can also encrypt the file name within a RAR and not just the file. The virus that was being spammed encrypted both the file name and the file, so Declude likely got hung up on trying to extract the name from the RAR. Note to Dave. This took me all of 30 minutes to figure out. Unfortunately there is somewhat of a conundrum here as you will need to introduce new functionality in order to handle this appropriately. While I don't expect that RAR files will be commonly used for viruses due to the rarity of the client, it is definitely necessary to allow users to block encrypted RAR's when the file names are not extractable. I have a recommendation for how to handle this which would be quite consistent with current behavior and possibly help with unexpected conditions with ZIP's too: For both encrypted ZIP's and encrypted RAR's where the file names can't be extracted, assume that it contains an EXE. This will allow for those that want to block all encrypted files and those that only want to block them when there is an executable inside to maintain proper levels of protection. Let me know if you would like some more feedback or information. Thanks, Matt --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. ________________________________ The information contained in this communication is privileged and confidential. If you have received this communication in error, please forward back to the sender and delete your copy immediately. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
