[Avcheck] avcache announcement
Michael Tokarev
mjt@tls.msk.ru
Thu, 14 Mar 2002 21:24:24 +0300
Felix von Leitner wrote:
[]
> A guy told me yesterday that Outlook will even accept malware in the
> HEADER of an email (i.e. Subject: duh begin 655 virus.exe<CR>...).
> Is that true? If so, avcache needs to be smarter than it currently is.
BTW, in order to detect such "virus" in header, virusscanner should
be able to detect it first.
Also, there are numerous possible funny things do play with headers.
E.g. long headers that causes buffer-overflows in MUAs etc (remember
sendmai's protection against long headers?).
How about possible problems in virusscanner itself? For example, drweb
had a problem with long filenames in attachments before 4.27b version.
NOT a buffer-overflow but drwebd refused to scan such messages. I don't
know, and in fact noone knows how other antiviruses (and other code paths
of the same antivirus) works -- no audit was done... For drweb, I feel
almost safe, but I'll NEVER be at all sure about avp. With various steps
already made to protect rest of system from "crazy virusscanner" (chroot,
least privs etc) this isn't a big problem (btw, some resource limits like
maxmem and disk quota will be helpful here), but how to detect such
situations from virusscanner's client's point of view, and how to react
to such situations? Mind you, sometimes for whatether reason virusscanner
returns "0 clean" for infected mails! -- especially avp likes to do so
in case of any problem/error it encounters... (yet another way for exploit --
any resource limits may be used here as well; but again, any new virus
should be known to antivirus before it may be detected).
> Felix
Regards,
Michael.