Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Multiple AV Vendors ignoring tar.gz archives
From: Barrie Dempster <barrie () reboot-robot net>
Date: Sat, 05 Feb 2005 18:40:04 +0000

On Sat, 2005-02-05 at 13:20 -0500, Paul Laudanski wrote:
Are you finding that certain AVs are not actually checking the contents of 
the tarballs?  I find in using nod32lms it does deep dive and checks each 
file.  Please note that one must configure the nod32.cfg file to permit 
opening tarballs and other archives for inspection.

I didn't configure the AV's I didn't fancy installing all of them and
thought virus total would give a good indication. It appears from the
virustotal results and from http://www.nod32.com/products/nt.htm that
nod32 will scan and detect tar.gz's but not bz2's. This is the most
common result and could be argued to be valid by the vendors. 

However you can open tar.bz2's on windows so it's still a valid
infection vector, although probably not all that useful for viruses. I
don't believe many users will go googling for the tools needed.
Nonetheless at least a few of the vendors think it's necessary to go
beyond the common zip and rar.

With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]