Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Backdoor not recognized by Kaspersky
From: Cael Abal <lists2 () onryou com>
Date: Wed, 03 Mar 2004 12:58:56 -0500

Hash: SHA1

Cael...take a more sensible approach...no password parsing to scan
needed...have the AV/mail gateways stop any zip with any executable
inside. You don't need to use the password to see that there is an
.exe/.scr/.com/.whatever inside a zip.  You see it, you nuke the zip.
If your policies allow zipped executables to meander through your mail
system as long as they pass a virues scan, you must have damned busy 0
days.  This ain't complicated...at all.

Hi Bart,

Interesting suggestion but I'm not prepared to arbitrarily kill any
zipped executable (even just those which have been passworded).  I'm
just not comfortable with the false-positives.

Historically, passworded .zip files have been the only remotely
acceptable way to e-mail executables.  I'm hesitant to give that up.

I'd still rather allow all passworded .zips and rely on the client's AV
to nab it.

take care,


Version: GnuPG v1.2.3 (MingW32)


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]