[Mimedefang] survey: dropping password protected file
Paul Whittney
pwhittney at net.bacconsulting.com
Fri Mar 5 11:10:17 EST 2004
Just some comments; I hope these come across as polite thoughts, as I'm
not trying to shoot down the idea.
On Fri, Mar 05, 2004 at 02:42:27PM -0000, Clayton, Nik [IT] wrote:
> In re using Archive::Zip for zip file scanning.
>
> I got the necessary sign off today, so here are the changes I've
> got planned. Comments welcomed.
... [snip]
> my $BAD_FILENAMES = qr/(?: # Non capturing grouping
> application| # These are all nasty .zip files
> document|
> message|
> movie|
> myphoto|
> photos|
> pp-app|
> readnow|
> screensaver|
> wendy|
> your_details)\.zip
> /x;
Is it wise to have a static list of files? The next set of virus code that gets
written will start picking random words, or make sure that the file they use
isn't in any lists. (I know it'll catch all the old ones, but seems that this
list will eventually grow, and then you way as well say all .zip's are bad).
And I still feel its a lot of effort, and processing power, to decode and
check what zips come through. Might just be quicker to match on the base64
encoded data, or the binary data, rather than temp files, sockets, or pipes.
I can see a point where the emails come in saying:
"You need to run the file we have sent, please save this file to disk,
rename setup.txt to setup.zip, double click on it, enter the password
12345, and run setup.exe".
Anyway, now I'm Ranting... Sorry about that. Good luck in the coding.
-Paul Whittney
More information about the MIMEDefang
mailing list