Re: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives

From: bkfsec (
Date: 02/07/05

  • Next message: mikx: "Firedragging [Firefox 1.0]"
    Date: Mon, 07 Feb 2005 15:32:20 -0500
    To: James Eaton-Lee <>

    James Eaton-Lee wrote:

    >For many SMEs, the distinction is irrelevant, as a significant number of
    >e-mail servers do *NOT* incorporate antivirus software designed with
    >gateway scanning in mind - they run desktop scanning tools on e-mail;
    >thus, for many companies, the distinction between 'gateway' and
    >'desktop' antivirus software is both, since one scanning engine and set
    >of definitions play the same role.
    I think that the distinction that Nick was making was that any AV that
    is intended to do gateway scanning should implement this, which is
    implied by his whole "gateway scanners may have a problem with this..."

    If corporations are using desktop scanners as gateway scanners, then
    they're misusing the product.

    I could try to tow 3 tons of bricks with my little Honda Civic, but
    would it be Honda's fault if my engine gave out? I'd be misusing the
    product. 'nuff said.

    >Antivirus technology is something which even non-technical office staff are very
    >much aware of, and they base many aspects of their work on assumptions
    >such as the fact that if an antivirus scanner has not detected 'a virus'
    >in a file they have sent/downloaded/copied, that it is safe - although
    >they may not be at risk from a virus in an archive file that their
    >antivirus software does not detect, other people may.
    Well, this is largely a perception problem. People think that a clean
    scan means that something is safe and that's wrong. It's not just wrong
    in AV, it's wrong in all security analysis issues. It's wrong in IDS.
    It's wrong in forensics. It's wrong in pen-testing.

    What the outcome really means is, literally, that nothing that the
    product was designed to detect was detected. It means nothing more and
    nothing less.

    However, people turn that into "the coast is clear" because people don't
    want to live in a constant state of paranoia and fear. By their nature,
    security and usefulness have to be balanced, at least in this way.

    However, this all comes down to one point: If the AV can detect the
    malware uncompressed, but can't detect it compressed, then there's no
    problem. The malware has to be decompressed to be dangerous. That was
    Nick's point and it's 100% correct.

    IF your AV software is functioning normally.
    IF your AV software has proper real-time detection capabilities.
    IF your AV is properly setup and scans the programs you run at the time
    they're read from the HD.
    IF your AV will detect the malware uncompressed.

    Then, as should be true for the vast majority of situations out there,
    the malware will be caught as it's being extracted from the archive.
    Or, barring detection on writes, when it's being executed in the first

    If the problem you're pointing out is that SMEs are carrying out
    cost-cutting by not putting AV on their workstations and blindly relying
    on gateway scanning, then that SME has a much bigger set of problems
    than not having compressed tarball support on their gateway scanner, and
    their cost-cutting is ultimately going to cost them.

    That SME has made a grave mistake and hopefully they'll learn their lesson.

    >Harking back to SMEs, who seem to be at the focus of most of the points
    >that I've made, it's quite possible that the inability to scan an
    >archive file could be extremely damaging to a business's reputation when
    >forwarded to a partner or customer
    In what situation can you imagine where a person blindly forwards
    compressed (unscanned) content to a business partner?

    Again, this can only be because of cost-cutting issues at the SME or
    laziness on the part of the SME's employee. Again, the problem is not
    the issue of the AV, but rather the fault of the SME for not being more

    > - since you're obviously sure of your
    >positions on these issues, I shouldn't have to remind you that antivirus
    >software isn't about being theoretically perfect, it's about preventing
    >business loss.
    This is the wrong way to think about it.

    The goal of antivirus is, plainly said, to detect and block malware from

    Preventing business loss is a side-effect of this. There are many
    reasons for keeping malware off of systems, business benefit is only one
    of them.

    A hammer is a hammer. Its sole intent is to bash things (and, possibly,
    pry them out). It can be used to build houses, but it is not a

    >Antivirus software is deployed based on many sets of assumptions.
    >Failure to live up to these assumptions is generally what causes the
    >most damage to businesses as protection they thought they had in place
    >fails - this issue is something which falls into this category;
    >antivirus software is, in the majority of SMEs, implemented by staff
    >without extensive experience in antivirus software, and they are highly
    >unlikely to be aware of issues such as this one (especially since in
    >most antivirus software, the option is given to 'scan archive files',
    >not 'scan archive files apart from the ones we don't understand') - not
    >a serious issue, but definitely a significant one, and one which should
    >be fixed upstream by antivirus vendors.
    It is expressly impossible to determine what the uneducated, untrained,
    and willfully incapable of reading documentation will do when left to
    their own devices.

    User-friendly software tries to cater to these users, by making things
    as simple as possible, but that does not mean that all of these
    conditions can be predicted. I'm very much in agreement that AV
    programs should support compressed tarballs and other archival formats.
    However, any organization that is bitten by this relatively small flaw
    will be bitten because they lack common sense.

    The OEMs out there, along with the AV companies for obviously
    self-serving reasons, have gone a long way towards trying to spread the
    word that virus protection should be on all clients out there. This is
    not an arcane planning issue like, say, properly implementing an IDS.
    It's a common sense, best practices, no BS doctrine.

    And there are no excuses for an organization that purposefully puts
    themselves into a position where a minor defect like this can harm their


    Full-Disclosure - We believe in it.

  • Next message: mikx: "Firedragging [Firefox 1.0]"

    Relevant Pages

    • Re: [fw-wiz] Antivirus on a free UN*X (Linux/*BSD) platform
      ... Pls specify which gateway scans HTTPS. ... > I don't known any firewall sucessfully using cvp, ... > level (which most 'gateway' antivirus software do) and http/https ... > scanned at a proxy. ...
    • Re: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives
      ... >>'desktop' antivirus software is both, since one scanning engine and set ... the statement "no viruses have been found on your ... as an industry are very bipolar about how we portray security. ... > compressed content to a business partner? ...
    • Re: Locating Missing CALs
      ... The number of client access licenses may be reset to five in Windows Small ... Business Server 2003 ... Make sure antivirus software on the server is set to exclude the following ... C:\Program Files\Microsoft Windows Small Business ...
    • Re: Best Antivirus
      ... antivirus software is to use? ... ClamXav is free, therefore the best. ... for business use and it is free for home use. ... - The Modern Productivity Solution - ...