c) Creating completely new functionality to target this specific virus where the password string is retrieved from the message body
and then used to unlock the file before scanning it (Kaspersky and BitDefender) The downside to this is that it took them 4
days to create this capability, and it will likely take a program update and a long turn around for them to protect against future
password protected zip files containing viruses, i.e. this is a one time fix that targets one series of viruses.
That's what is scary about vulnerabilities. Most mailserver AV programs aren't protected, and they are going to have to scramble to come out with new releases. If it takes them 4 days, a virus writer can just keep coming out with new vulnerabilities every 4 days for a month. At that time, the AV programs that are trying to keep up will be getting very buggy -- it just isn't possible for a big company to release 10 new versions with such changes without introducing new bugs.
The AV companies may be now selling this capability in a generic fashion, but it is in fact grandstanding in the face of being one-upped by the virus programmers.
What's worse is that these guys (the virus writers) like the attention they are getting. The Netsky and Bagle guys are fighting each other with each new release. They are currently mad at each other; now, they may get mad at the AV companies that are marketing hype. I believe there isn't anything stopping them from creating encrypted .ZIP files with widely varying file sizes, enough so that it would be truly impossible to detect. If they have random CRCs, varying file sizes, and varying file names, I can't see how any AV program can detect the virus within an encrypted .ZIP file.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
