After reading your http://www.alaska.net/~royce/pub/solaris/MAGIC link I see what it
is all about. But is there any formal or informal organization that keeps a list like
that up to date?
Regarding the discussion on this thread, I think that there are two different issues
here:
1) Should a mailet or a matcher like IsInfected scan everything or not.
2) Should it identify malformations in a message, including innocent or guilty
alterations of the extension / MIME type / magic matching, but not excluding other
checks.
Regarding point 1), as a user I prefer to scan everything, but if the A/V program like
MCAfee's Virusscan allows the user to choose whether or not scan everything or just
dangerous extensions or choosen extensions, it is up to the user. As the
matcher/mailet has to offload the attachment to a directory to have the A/V do that,
having it look at the extension is only a matter of performance (why offload a JPEG if
later on I ask the A/V to ignore it?). Currently IsInfected offloads everything and
what to do is left to the command line string passed to the A/V, so I think it is safe
and could be made more performing.
Point 2) instead should be done in a kind of IsMalformed matcher or CheckCompliance
mailet, whose outcome can be used in config.xml to take an appropriate action. As its
operation could require an overhead already used in the IsInfected or equivalent
matcher or mailet, it is again only a matter of performance doing such work only once
while scanning for viruses.
Vincenzo
-Original Message-
From: Vincenzo Gianferrari Pini
[mailto:[EMAIL PROTECTED]
Sent: domenica 22 giugno 2003 10.23
To: James Users List
Subject: RE: Virus scanning (was RE: Matchers X Window)
This magic number topic is quite new to me :-)
I've looked aroung with Google, but didn't find any link really
explaining what it's all about. Do you have any good one to suggest?
Thanks,
Vincenzo
-Original Message-
From: Noel J. Bergman [mailto:[EMAIL PROTECTED]
Sent: domenica 22 giugno 2003 1.01
To: James Users List
Subject: RE: Virus scanning (was RE: Matchers X Window)
I would check MIME type, file extension, and most importantly the
magic, to make sure that they all match. Any failure to match
would be suspect, regardless of what the A/V program says. I
think you misunderstood my earlier point.
In truth I must have done, I *still* wouldn't like to trust that those
things weren't being hijacked though, even the magic.
Exactly. So if an attachment has MIME type T then it should have
one of the
known extensions for MIME type T and it should have the correct
magic. That
way if an attachment claims to be MIME type image/jpeg, then it
must have
an extension of .jpeg, jpg or jpe, AND have a magic value of
0xFFD8FFE0JFIF0x00. If it has a magic value of something else, e.g.,
0x7FELF or MZ, then it should be rejected *regardless of the anti-virus
scan*. A simple set of magic is:
Format Magic
PNG 0xD3PNG
GIF GIF89a
JPEG0xFFD8FFE0JFIF0x00
ELF 0x7FELF
Windows .EXEMZ
/usr/share/[misc/]magic has a collected set to use with the file command
(Windows users, see:
http://www.alaska.net/~royce/pub/solaris/MAGIC). The
pertinent aspects of the file command could be re-implemented in Java.
The purpose would be to prevent someone from slipping an
executable by as a
non-executable, since most operating systems load by magic, not
extension or
MIME type.
--- Noel
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
