Re: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives
From: bkfsec (bkfsec_at_sdf.lonestar.org)
Date: Mon, 07 Feb 2005 15:32:20 -0500 To: James Eaton-Lee <firstname.lastname@example.org>
James Eaton-Lee wrote:
>For many SMEs, the distinction is irrelevant, as a significant number of
>e-mail servers do *NOT* incorporate antivirus software designed with
>gateway scanning in mind - they run desktop scanning tools on e-mail;
>thus, for many companies, the distinction between 'gateway' and
>'desktop' antivirus software is both, since one scanning engine and set
>of definitions play the same role.
I think that the distinction that Nick was making was that any AV that
is intended to do gateway scanning should implement this, which is
implied by his whole "gateway scanners may have a problem with this..."
If corporations are using desktop scanners as gateway scanners, then
they're misusing the product.
I could try to tow 3 tons of bricks with my little Honda Civic, but
would it be Honda's fault if my engine gave out? I'd be misusing the
product. 'nuff said.
>Antivirus technology is something which even non-technical office staff are very
>much aware of, and they base many aspects of their work on assumptions
>such as the fact that if an antivirus scanner has not detected 'a virus'
>in a file they have sent/downloaded/copied, that it is safe - although
>they may not be at risk from a virus in an archive file that their
>antivirus software does not detect, other people may.
Well, this is largely a perception problem. People think that a clean
scan means that something is safe and that's wrong. It's not just wrong
in AV, it's wrong in all security analysis issues. It's wrong in IDS.
It's wrong in forensics. It's wrong in pen-testing.
What the outcome really means is, literally, that nothing that the
product was designed to detect was detected. It means nothing more and
However, people turn that into "the coast is clear" because people don't
want to live in a constant state of paranoia and fear. By their nature,
security and usefulness have to be balanced, at least in this way.
However, this all comes down to one point: If the AV can detect the
malware uncompressed, but can't detect it compressed, then there's no
problem. The malware has to be decompressed to be dangerous. That was
Nick's point and it's 100% correct.
IF your AV software is functioning normally.
IF your AV software has proper real-time detection capabilities.
IF your AV is properly setup and scans the programs you run at the time
they're read from the HD.
IF your AV will detect the malware uncompressed.
Then, as should be true for the vast majority of situations out there,
the malware will be caught as it's being extracted from the archive.
Or, barring detection on writes, when it's being executed in the first
If the problem you're pointing out is that SMEs are carrying out
cost-cutting by not putting AV on their workstations and blindly relying
on gateway scanning, then that SME has a much bigger set of problems
than not having compressed tarball support on their gateway scanner, and
their cost-cutting is ultimately going to cost them.
That SME has made a grave mistake and hopefully they'll learn their lesson.
>Harking back to SMEs, who seem to be at the focus of most of the points
>that I've made, it's quite possible that the inability to scan an
>archive file could be extremely damaging to a business's reputation when
>forwarded to a partner or customer
In what situation can you imagine where a person blindly forwards
compressed (unscanned) content to a business partner?
Again, this can only be because of cost-cutting issues at the SME or
laziness on the part of the SME's employee. Again, the problem is not
the issue of the AV, but rather the fault of the SME for not being more
> - since you're obviously sure of your
>positions on these issues, I shouldn't have to remind you that antivirus
>software isn't about being theoretically perfect, it's about preventing
This is the wrong way to think about it.
The goal of antivirus is, plainly said, to detect and block malware from
Preventing business loss is a side-effect of this. There are many
reasons for keeping malware off of systems, business benefit is only one
A hammer is a hammer. Its sole intent is to bash things (and, possibly,
pry them out). It can be used to build houses, but it is not a
>Antivirus software is deployed based on many sets of assumptions.
>Failure to live up to these assumptions is generally what causes the
>most damage to businesses as protection they thought they had in place
>fails - this issue is something which falls into this category;
>antivirus software is, in the majority of SMEs, implemented by staff
>without extensive experience in antivirus software, and they are highly
>unlikely to be aware of issues such as this one (especially since in
>most antivirus software, the option is given to 'scan archive files',
>not 'scan archive files apart from the ones we don't understand') - not
>a serious issue, but definitely a significant one, and one which should
>be fixed upstream by antivirus vendors.
It is expressly impossible to determine what the uneducated, untrained,
and willfully incapable of reading documentation will do when left to
their own devices.
User-friendly software tries to cater to these users, by making things
as simple as possible, but that does not mean that all of these
conditions can be predicted. I'm very much in agreement that AV
programs should support compressed tarballs and other archival formats.
However, any organization that is bitten by this relatively small flaw
will be bitten because they lack common sense.
The OEMs out there, along with the AV companies for obviously
self-serving reasons, have gone a long way towards trying to spread the
word that virus protection should be on all clients out there. This is
not an arcane planning issue like, say, properly implementing an IDS.
It's a common sense, best practices, no BS doctrine.
And there are no excuses for an organization that purposefully puts
themselves into a position where a minor defect like this can harm their
Full-Disclosure - We believe in it.