> I don't have any real expectation that Clam would be able to > recognize this in its JS-hta-wrapped form, now that I understand > it -- but I am interested in the idea that anyone can repackage an > existing Trojan in this way and slip by most scanners. > > -royce
I have to disagree with "most" here - MimeDefang's default filter includes hta in its list of bad extensions. But it is a scary thought that viruses can encode themselves. hta-encoded viruses are not particularly scary, but what about uber-common extensions like .doc or .zip? If a virus spreads by .doc files, extension blocking is useless. That's where virus definitions come in handy. But what if a virus spreads in a .zip file? No problem, you might say. Just have Clam unzip the file and scan the contents. This works most of the time - provided the .zip in question is not encrypted! Ah, you say - but if the .zip is encrypted, the user cannot open it either! Well, maybe they can and maybe they can't. The message body could include something like "Here's the pictures you wanted - the password to open the attachment is SJKZUDJ" which would allow the user to open it. Ah, you say - but the encrypted zip file would still have a constant binary pattern, which could be added to the virus list and scanned for! Would it? What if the virus, when it ran, picked a random password? And encrypted itself with the new random password, rather than the one it originally was opened with? About the only thing I can think of is to allow an option to quarantine any encrypted contents of an attached archive. Matthew van Eerde Software Engineer Hispanic Business Inc. HireDiversity.com 805.964.4554 x902 [EMAIL PROTECTED] http://www.hispanicbusiness.com http://www.hirediversity.com _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
