> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Bart > Silverstrim > Sent: Thursday, April 15, 2004 9:55 AM > To: [EMAIL PROTECTED] > Subject: [Clamav-users] revisit question about passworded zips > > > I've seen this batted back and forth for awhile about the bagle > variants that use password-protected ZIPs and detecting them; I gleaned > a bit of ambiguity in the answers because at the time the answer always > seemed to be "Yes it detects it" (zips or passworded zips?), no it > doesn't (nothing scans inside zips) , or "yes it does in the latest CVS > version..." > > Sooo my question is that at this point, does clamav have the ability to > pick up the passworded zip file sent by a specific bagle variant, while > passing others along undetected? the testvirus.org password protected > zip gets through :-( So I wondered if just the bagle virus with the > passworded zip has a specific signature attached. >
My understanding of it is that the password protected zip files are detected by a signatue of the message with the file attached. Of course the virus can not be detected by the virus itself because it is in a password protected zip. This is why the password protected zip test from testvirus.org gets through. There is no signature in the clamav database for this file. If you want to block ALL password protected zips you can do so using the --detect-encrypted parameter. (i believe .070rc+) So i guess the answer is: yes it detects it, but not by scanning inside the zip file. Jim ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
