[Avcheck] big archives

Michael Tokarev mjt@tls.msk.ru
Mon, 17 Jun 2002 23:03:17 +0400 

Max Kalika wrote:
[]
> > I think the best method for now is to ignore error return from
> > sophie/sophos -- until their software will be fixed.  That is, just treat
> > -1 return just like there is no viruses.
> 
> Is there a way to tell avcheck to ignore -1?  But more generally, this may
> not be a good idea since someone can just stuff gigabytes of zeros into an
> archive with the virus as the second file.  Sophie would return -1, and the
> message would go through.

There is the only error return code sophie uses.  Better yet (IMHO) is
to modify sophie for this, it should be trivial.  I.e. for *some* cases,
return e.g. -2.  But in fact, I don't think this is worth it.  About the
situation you described above - well, no single virus "in wild" uses any
sort of archive format when spreading itself (.zip/.arj/.rar/whatether).
The only case this may happen is when some user *especially* sent such
email.  But the same user may use different tactic, that is much more
simpler and cleaner - use password-protected .zip archive with virus
inside.  "Special offer for your only.  Here is a program to make money
fast.  It is password-protected as it is very confidential, noone else
should be able to see it.  The password for the archive is qwe123."
There is nothing an antivirus can do with such email, unfortunately.

In order to make avcheck ignore -1 code from sophie, one need to change
it's sourcecode - it's trivial:

  if ((p = strchr(r, '\n')) != NULL)
    *p = '\0';
  if (*r == '-')
    //err(0, "error in %s: return code %s", avname, r);
    return 0;
  if ((p = strchr(r, ':')) != NULL) {

> > It's not "sophie support" in avcheck that is "weak", but sophos antivirus
> > is unable to handle mime/email format properly.
> 
> Actually, I put sophie/sophos through some tests and it has been pretty
> solid.

That may be.  Last time I checked (maybe half-a-year-before), sophos was
unable to handle attached .zip/etc archives.  But again, this isn't
a problem for *most* cases, and for 100% current wild viruses.

/mjt