BANEXT RAR will block all RAR files, encrypted or not. That wasn't the
issue at hand here. It was related to BANEZIPEXTS ON (in my case)
and possibly BANEZIP ON.
Matt
Dan Shadix wrote:
BANEXT rar has been working great for me.
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of
*Matt
*Sent:* Thursday, April 26, 2007 11:36 PM
*To:* declude.virus@declude.com
*Subject:* [Declude.Virus] More info about encrypted RAR virus and
Declude failures
I have downloaded a copy of the virus and inspected it. The file is a
functional encrypted RAR with an EXE inside of the same file name. I
also researched why Declude might not be catching this and I believe
that I know why.
Declude will properly detect an executable within a RAR file and the
fact that the file is encrypted. I verified this with my own test on
a file that I encrypted. The problem however is the fact that you can
also encrypt the file name within a RAR and not just the file. The
virus that was being spammed encrypted both the file name and the
file, so Declude likely got hung up on trying to extract the name from
the RAR.
Note to Dave. This took me all of 30 minutes to figure out.
Unfortunately there is somewhat of a conundrum here as you will need
to introduce new functionality in order to handle this appropriately.
While I don't expect that RAR files will be commonly used for viruses
due to the rarity of the client, it is definitely necessary to allow
users to block encrypted RAR's when the file names are not
extractable. I have a recommendation for how to handle this which
would be quite consistent with current behavior and possibly help with
unexpected conditions with ZIP's too:
For both encrypted ZIP's and encrypted RAR's where the file names
can't be extracted, assume that it contains an EXE. This will allow
for those that want to block all encrypted files and those that only
want to block them when there is an executable inside to maintain
proper levels of protection.
Let me know if you would like some more feedback or information.
Thanks,
Matt
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
------------------------------------------------------------------------
The information contained in this communication is privileged and
confidential. If you have received this communication in error, please
forward back to the sender and delete your copy immediately. You are
hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.