Massimo Sala <massimo.sala...@gmail.com> added the comment:
Hi Serhiy Thanks for the suggestion but I don't need to analyse different self-extraction payloads (and I think it is always unreliable, there are too many self-extractors in the wild). I spend two words about my work. I analyze ZIP archives because they are the "incarnation" also of microsoft OOXML and openoffice OASIS ODF documents. I always find these kind of files with not zero offset aren't strictly compliant documents (by their respective file formats specifications). Sometimes there is a self-extrator, sometimes there are pieces of malware blobs (outside the ZIP structure or inside it, into the compressed files), sometimes other errors. For us checking the offset is very effective: we discard "bad" documents at maximum speed before any other checks and it is more reliable than antivirus (checking against specific blobs signatures, everytime changing). With just a single test we have a 100% go/nogo result. Every colleague grasp this check, there aren't hard to read and maintain routines. Massimo On Sat, 18 Apr 2020 at 09:36, Serhiy Storchaka <rep...@bugs.python.org> wrote: > > Serhiy Storchaka <storchaka+cpyt...@gmail.com> added the comment: > > I am not sure it would help you. There are legitimate files which contain > a payload followed by the ZIP archive (self-extracting archives, programs > with embedded ZIP archives). And the malware can make the offset of the ZIP > archive be zero. > > If you want to check whether the file looks like an executable, analyze > first few bytes of the file. All executable files should start by one of > well recognized signatures, otherwise the OS would not know how to execute > them and they would not be malware. > > ---------- > > _______________________________________ > Python tracker <rep...@bugs.python.org> > <https://bugs.python.org/issue40301> > _______________________________________ > ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue40301> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
