On Wed, 04 Feb 2004 at 9:35:07 -0600, Tom Walsh wrote: > I saw an article on bigtraq today that discussed an interesting vectored > attack against anti-virus software and was curious if any type of checks > were in place for clamav. > > Basically a decompression bomb is a zero padded file of extreme size > (100GB) that is compressed using bzip, gzip, zip, etc... The resulting > compressed file is rather small (69KB) so it will make it through a file > size window and be passed to the anit-virus program. When the anit-virus > program tries to uncompress the file, it overflows the bounds of the > software causing it to crash. Rather interesting "attack". > > The link for more information about the attacks and the software that > they tested it against (clamav was not included, to the best of my > knowledge): > > http://www.aerasec.de/security/advisories/decompression-bomb-vulnerabili > ty.html > > Just wanted some feed back from the developers if this is something we > need to take a look at. > > Tom Walsh > Network Administrator > http://www.ala.net/
I saw that article. At least some of the tests are passed by Clamav OK, at least as I checked some time ago. I haven't had time to repeat it now and check the rest of them. You are welcome to crash-test Clamav and report the result here :-). -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
