Re: [Declude.Virus] Network Associates Products, McAfee "what does it catch?"

[Greg Little]

According to AVERT (McAfee's Virus Lab), their Gateway products are catching the .J (variable password) files, but the desktops are not. I read by "Gateway products" they are pulling the password from the body and using that to unpack and check. Unless there is a "simple/quick" backdoor/crack for passworded ZIPs for the AV companies to use, variable password is going to be a BIG pain for all of us. There are other variations on the random password problem that would make "find it in the e-mail" impossible. So, while I see the short/medium term benefits of  "find the password", I doubt that will be our long term solution. I would class the "hint/clue type" as only annoying on that scale, they would tend to follow predictable patterns. (reactive solutions should be possible) Another variable in "What does McAfee catch?" is using the Daily DATs. These are always labeled 4100. Also the Extra.Dat (think quick patch to the regular DAT files) that included .H & .I had a generic Zip check. I pull out just that check and it is getting some of the encrypted zips. Looks like the static .F version and not the dynamic .J . (This doesn't add much, except better info. Blocking all pwd protected zips is currently the only safe plan for most of us.) Also they claim that a switch added to the command line can cause it to catch the .J versions. I blanked out the possible switch until I get to do some more testing and the dust settles a little. They are evolving daily, just like Declude. If someone wants to test, e-mail me or AVERT (off list). Greg Little Dear Greg, The following is true: "We DO still detect the !pwdzip at the gateway. We DO NOT detect the !pwdzip at the desktop." However, you can also detect the !pwdzip by using the Command-Line Scanner with the /######## switch. And: "Of course, when the user opens the zip and provides the password we will still detect the worm and prevent it running." ... Regards, Brant Yaeger Virus Research Analyst McAfee AVERT (TM) A division of McAfee, Inc. --- [This E-mail scanned for viruses by Findlay Internet] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.