On Tue, 02 Mar 2004 at 18:24:27 -0700, Charlie Watts wrote: > Clearly the virus DB maintainers are inundated with password-protected > .zip files with viruses inside.
Indeed :-( . > I think I understand the technical impossibility of making a signature for > these - the .zip header is the same, and then the filenames inside are > randomized, as is the password, and thus the encrypted body has nothing > recognizable - so there isn't anything available to make a signature off > of. That's right. > We don't want to waste your time submitting these - would it be useful to > put a comment on the virus submission page that you just don't want these? It's not so obvious, unfortunately. We don't want to simply reject encrypted zip files. Without actual unzipping a password-protected zip file, one can't say if it's just another, already detected, Worm.Bagle.F, or other, new variant of Bagle (and these occur frequently! - the latest (Worm.Bagle.J) was this night). WE ASK USERS TO NOT SUBMIT naked zip files IF their contents is DETECTED as infected by ClamAV AFTER UNZIPPING. It's a utter waste of our time, which results in delays in processing really significant samples! But seems that users don't understand this :-((( . > I see that there have been a few rejected, stating that you'd need the > *complete* E-mail - are you looking for other characteristics of the > complete E-mail message, something not specifically tied to the > attachment? If a message isn't _yet_ detected as infected with Worm.Bagle.F-zippwd*, we may need it for seeing possible new ways of including encrypted zip files in virus email messages. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
