[Mimedefang] quick heads up: tampered zip passes viruscheck
Matthew.van.Eerde at hbinc.com
Matthew.van.Eerde at hbinc.com
Fri Oct 22 05:35:03 EDT 2004
-----Original Message-----
From: Jan Pieter Cornet [mailto:johnpc at xs4all.nl]
This came by on the clamav mailinglist, and it went straight through
both of my virus scanners built into mimedefang:
http://www.xs4all.nl/~johnpc/eicar-hidden2.zip
It's a tampered .zip file which includes a copy of EICAR. You might
want to test how your virus scanners handle it. At least "zip" from
InfoZip unpacks it, albeit with a warning, producing a "real"
virus (EICAR).
It's possible to detect this with a bit of Archive::Zip prodding,
but it's too late for me to try that right now.
--
Good to know. Secunia has reported this to be a problem for lotsa virus scanners.
That's why I love the fact that MIMEDefang has an action_quarantine. I quarantine all .zip files, even if they pass a virus test. (and .sit, .hqx, .z, .rar, .r21, etc...)
Matthew van Eerde
More information about the MIMEDefang
mailing list