On Wed, Jul 27, 2005 at 03:07:57PM -0500, Noel Jones wrote:
> Recent clamav (0.86.2, probably some earlier versions) should detect
> modified zips as "Exploit.Zip.ModifiedHeaders"
> The detection is built into the unzip code, there isn't an actual signature.
>
> If your zip file is hacked "correc
On Wed, Jul 27, 2005 at 12:54:30PM -0700, [EMAIL PROTECTED] wrote:
> q# wrote:
> > Wrong signature format: zmd != ndb
>
> Alright - where's the documentation of the zmd database format?
>
> Does sigtool --list-sigs | grep "Zip.Empty" have any output? That should at
> least verify whether the si
At 02:54 PM 7/27/2005, [EMAIL PROTECTED] wrote:
q# wrote:
> Wrong signature format: zmd != ndb
Alright - where's the documentation of the zmd database format?
Does sigtool --list-sigs | grep "Zip.Empty" have any output? That should
at least verify whether the sig is being loaded.
Recent cla
q# wrote:
> Wrong signature format: zmd != ndb
Alright - where's the documentation of the zmd database format?
Does sigtool --list-sigs | grep "Zip.Empty" have any output? That should at
least verify whether the sig is being loaded.
--
Matthew.van.Eerde (at) hbinc.com 805.964.
On Wed, Jul 27, 2005 at 12:31:45PM -0700, [EMAIL PROTECTED] wrote:
> q# wrote:
> > $ echo 'Zip.Empty:0:*:0:0::0:1:1' > ./local/empty.zmd
>
> Checking the documentation:
> http://www.clamav.net/doc/latest/signatures.pdf
>
> This is the "Extended signature format"
>
> Zip.Empty - name of m
On Wed, Jul 27, 2005 at 08:13:15PM +0100, Matt Fretwell wrote:
> q# wrote:
>
> > Of course, but as you can see, I've created my own signature for empty
> > file in zip-file and it doesn't work.
>
> One might surmise, then, that you have not created it correctly?
Don't ask me, check it. If you f
q# wrote:
> $ echo 'Zip.Empty:0:*:0:0::0:1:1' > ./local/empty.zmd
Checking the documentation:
http://www.clamav.net/doc/latest/signatures.pdf
This is the "Extended signature format"
Zip.Empty - name of malware
0 - target type: 0 = any file
* - offset: * = any
0 - ?
0 - ?
- ?
0 -
q# wrote:
> Of course, but as you can see, I've created my own signature for empty
> file in zip-file and it doesn't work.
One might surmise, then, that you have not created it correctly?
Matt
___
http://lurker.clamav.net/list/clamav-users.html
On Wed, Jul 27, 2005 at 11:54:05AM -0700, [EMAIL PROTECTED] wrote:
> > So, It could be nice if clamav can block those files, but on my
> > -devel it
> > dosn't work:
> >
> > Can I say it's a bug?
>
> If I may suggest, corrupt .zip files (with unreasonable zip header values)
> should NOT be cons
q# wrote:
> On Wed, Jul 27, 2005 at 02:26:06PM -0400, Jim Maul wrote:
>> I believe the OP is referring to a new technique being used by virus
>> writers where the email has a zip attachment which APPEARS to be 0
>> bytes (in the zip header) but when uncompressed, the file is in fact
>> not 0 bytes.
On Wed, Jul 27, 2005 at 02:26:06PM -0400, Jim Maul wrote:
> I believe the OP is referring to a new technique being used by virus
> writers where the email has a zip attachment which APPEARS to be 0 bytes
> (in the zip header) but when uncompressed, the file is in fact not 0
> bytes. There was a
q# wrote:
On Wed, Jul 27, 2005 at 10:46:42AM -0700, [EMAIL PROTECTED] wrote:
Is there currently a work around to avoid this situation? Is anyone just
rejecting messages with a zip that has a zip header that says the file
size is Zero when uncompressed?
Could you be more specific, I don't und
On Wed, Jul 27, 2005 at 10:46:42AM -0700, [EMAIL PROTECTED] wrote:
> Is there currently a work around to avoid this situation? Is anyone just
> rejecting messages with a zip that has a zip header that says the file
> size is Zero when uncompressed?
Could you be more specific, I don't understand wh
Is there currently a work around to avoid this situation? Is anyone just
rejecting messages with a zip that has a zip header that says the file
size is Zero when uncompressed?
Thanks
Zach
Zachary Buckholz - Linux Administrator - GoDaddy.com
14455 North Hayden Road, Suite 226, Scottsdale, AZ 852
14 matches
Mail list logo
