Re: [Declude.Virus] Adobe PDF embedded attachemt

[Matt]

Marcus, IMO, it would be jumping the gun to start blocking before the exploits started to arrive, but it would be a good idea to research it to some extent.  It may be that it is impractical for virus writers to utilize this format due to the complexity of generating such a file, and virus scanners can pick up viruses in encrypted zips for instance when they aren't randomized.  The PDF encoding may be sufficiently complicated for this that they must use pre-generated files that could be picked up without any modifications.  Like encrypted zips, it may also be possible for Declude to pick up executable files within encrypted PDFs, and I would assume that they shouldn't be in there in the first place.  Of course all of this is just speculation on my part, but one would of course hope that unlike the compression software companies, Adobe would have considered the potential of this being exploited. Personally I believe that the #1 impending problem may be more viruses using linked payloads in the future where the executable or exploited scripting is hosted on the infected machine.  We have already seen several of these spread and some success, and spammers have been using links to exploited pages to install spyware (viruses) for over a year and a half now.  Since most viruses will likely use the IP address for the link in such an attack, and since some AV companies have already started coding definitions that catch this type of content, I have requested that Declude include a linked IP as a qualifying hit with PRESCAN ON so that it will send the message to the virus scanners.  This has also been discussed here in the past. Regarding the small zips with executables, I can certainly see a good reason for this being that some of us tell our customers and those that they correspond with to zip up executables otherwise they will be blocked with a notification.  Some are in fact small, especially scripts.  Knowing the size of the zip and potentially the included file extension is however an important heuristic that can be used in combination with other things to detect what is likely a virus that may have passed the virus scanning. Matt Markus Gufler wrote: Although Adobe recommends enabling scanning all file types in order to scan a PDF (and ass/u/me'ing its embedded contents as well), an AV scanner is not currently going to be able to scan this encrypted content until the content has been rendered/unencrypted at the desktop. Is there any info from Adobe or any AV-company about the ability/possibility to scan and detect such encrypted content. If there is any possibilty to detect encrypted PDFs I think declude should be prepared to add "BANEXT ePDF" to the config file before there will appear the first worms... At this point maybe I can place also the feature request that we can block certain (archiving) file types if they have a small size and a suspicious file inside. For example all ZIP-files below 100 kB and any executable file inside. This should help to block new virus variants until there are available appropriate signatures from the AV-companies. I'm not 100% sure but I can't imagine why someone should send a legit zip-file having a small executable inside. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================