[Clamav-users] Bagle/whatever encrypted zip blocking

John Madden Wed, 03 Mar 2004 11:48:43 -0800

I'm not sure on the status of clamav and its ability to block the new
encrypted-zip-bagle variant(s?), but through the grapevine, we've heard of
a fairly simple way of stopping all of these.  I don't have all the
details, but it seems the archives are actually flagged as "zip 1.0,"
whereas most software these days produces "zip 2.0" archives.  So we have
a regexp to block on:


/^UEsDBAoAAAAAA/

Again, foggy on the details, but apparently encrypted 1.0's are off by
another byte:

/^UEsDBAoAAQAAA/

Blocking on these two regexp's should block the virus, AFAIK.  We've
blocked 20 in the past 10 or so minutes.

Bottom line, what's clamav's current take on this one?  Is there some way
we can just drop all protected archives outright?

Thanks,
  John




-- 
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Bagle/whatever encrypted zip blocking

Reply via email to