1) If the password protected zip is always the same exact file, or one of a small fixed group of files, they can detect the virus.
2) If the password protected zip is randomly password protected, no virus scanner can see within it using the standard methods that all AV products use.
3) The products that detect these random variants are either:
a) Just simply detecting password protected zip files and considering them to all be viruses (Symanted SMTP Gateway)
b) Going one step further and banning password protected zip files only if they contain certain file types (Declude)
c) Creating completely new functionality to target this specific virus where the password string is retrieved from the message body
and then used to unlock the file before scanning it (Kaspersky and BitDefender) The downside to this is that it took them 4
days to create this capability, and it will likely take a program update and a long turn around for them to protect against future
password protected zip files containing viruses, i.e. this is a one time fix that targets one series of viruses.
The AV companies may be now selling this capability in a generic fashion, but it is in fact grandstanding in the face of being one-upped by the virus programmers. Even if they release this capability, it won't likely work on randomly generated password protected zip files when a command line scanner is used the way that Declude calls it. I suppose there is the possibility of modifying Declude to deliver the full source of the E-mail to a virus scanner like Kaspersky, but it's way too early to seriously look at that IMO as one virus doesn't make a trend.
I believe the preferred method of detection for these viruses is a heuristical approach which would determine the payload through a combination of text patterns and the presence of a password protected zip. This of course isn't foolproof, but it would work most of the time as long as you updated your pattern matching for the body text. If Declude Virus could do something like add a header or pass off a variable to Declude JunkMail identifying the presence of a password protected zip file, this could be done with a custom filter, or with patterns contained in a product like Sniffer. Note that not everyone uses both products on the same machine, or even in that order, so this isn't a universal implementation, and I'm not asking for it to happen either.
Matt
CompuLogics.Net Admin wrote:
Just an FYI Update for Declude Virus users that are using Network Associates / NAI / McAfee for their anti-virus component. Apparently the Bagle.j and Bagle.k variants that have been getting through as password-protected or encrypted .zip files will be detected soon. I worked with them today and we have discovered that their products would detect these viruses if they were executed on a system, but not if just scanned as happens with email scanning, or if the user just copied the file on their computer or performed an on-demand scan of the .zip file on their system. They are updating their DAT files and the next major release should detect these variants with a normal scan as a generic version of the Bagle virus. In the mean time, the daily DAT files posted as of 4:00 PST today does indeed detect these variants and enables Declude to stop them. Hope this helps!
Vance Reed
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
