> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > > This new infection method is likely to drive us nuts. This > is the password-less workaround I've come up with and your > input is appreciated. > The unix unzip output looks like so: > > $ uvscan -lv virus.zip > Archive: TextDocument.zip > Length Method Size Ratio Date Time CRC-32 Name > -------- ------ ------- ----- ---- ---- ------ ---- > 21150 Stored 21150 0% 03-01-04 19:33 7ac0095f hifrm.scr > -------- ------- --- ------- > 21150 21150 0% 1 file > > Fortunately we can get the file crc w/o actually extracting > the file. > Can zip file crc's count as sigs? A quick/crude perl hack to > test for this at the MTA seems to work pretty well: > <---SNIP---> > Suggestions? There are really easy ways for the virus writer > to circumvent this type of check but until they start > utilizing such strategies, is it possible to include the > zip's crc into ClamAV's sigs?
I'd say that if you're doing that you want to include the other key information, namely the size and the compression ratio. That way the chances of a collision are minimal (the odds are reasonable that there is another zip file with a single file that has the same CRC, the odds decrease however if you also use the size and compression ratio). -- PLEASE - keep list traffic on the list. Don't CC or send me mail directly. Rob MacGregor (BOFH) ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
