Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Multiple AV Vendors ignoring tar.gz archives
From: Barrie Dempster <barrie () reboot-robot net>
Date: Sun, 06 Feb 2005 08:42:09 +0000

On Sun, 2005-02-06 at 11:15 +1300, Nick FitzGerald wrote: (a very well
worded reply)

However your reply seemed to focus on the desktop client as if that was
my primary focus. I know that results on virustotal use desktop
scanners, but I used it to gain an indication of how scanners in general
handle the files. The real point is the gateway, which you agree with me

As I stated.
"The point being in order to ensure your email scanning solution is
performing adequately check that it does indeed scan archives other than
plain zip files."

I really should have installed multiple email gateways and tested them,
but to be honest it was more work than was worth doing on something that
is relatively trivial, but still an issue that may need to be addressed.

When it comes to desktop scanners, most of them have a deep scan option,
in my opinion the deep scan should indeed scan archives other than the
most common otherwise it's redundant code. I personally don't want to
trust one part of the scanning engine on the desktop for protection,
there are multiple reasons that can fail.

Files should be scanned at the gateway, at the workstations and at the
file-server. If your network relies on the "on access" scan only, you
are risking network integrity on a single point of failure, desktop on
access scanner fails and you are infected. The AV companies obviously
agree with me that's why they have gateway, on-access and sweep scans.
if you check their websites or install instructions they invariably
instruct you to schedule a scan AND run the on-access scanner. Also half
the products on virustotal do infact have tar.gz capability in their
products so I'm not alone in my belief that this should be supported.
On-Access isn't a single solution to the problem, although it's a very
good _last line of defense_.

I do agree with your feature bloat argument, finding the balance between
good functionality and bloat to the point of instability is not often
easy. However most virus companies agree they should scan files in all
formats they've seen viruses in and they do offer deep scanning, the
deep scan should err.... scan deep.

Thanks for your reply Nick your points are indeed all valid arguments
against uncommon archive support in desktop scanners. I still believe
however that support for these formats could become necessary and should
be in AV products at all checkpoints.

I don't believe in belt and braces. Belt, braces and super glue at the
bare minimum :-P

With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]