Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code



"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:u5eCLQHlJHA.4344@xxxxxxxxxxxxxxxxxxxxxxx
From: "FromTheRafters" <erratic@xxxxxxxxxxxxxxxxx>

| Any kind of advice?

| Okay, go into the AV's configuration and set it to use the file
| extensions list instead of the "smart" one that even bothers to scan
| cabinet files.

| Maybe you can find an AntiVir forum somewhere that can give you a
custom
| list of extensions that are worthy of being scanned.

CAB files are indee worthy of being scanned !
Often malware will come in a .CAB (cabinet files) others may use a
different extension
such as DAT and use the EXPAND command to extract the executable from
thae CAB file.

Shouldn't the 'on access' scanner catch them when they are extracted? Or
is this all done inside a process like the extraction from java jars? If
e-mail scanning is over the top redundant, isn't scanning within
containers also?

Others come in the form of self extracting cabinet files.

Example:
The file; AntiVirusInstaller.exe

Yeah, but that's an exe - and we know exes should be scanned.

Downloaded

C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\BNPHK11H\AV1[2].CAB
Saved as...
C:\Documents and Settings\All Users\Application Data\AV1\AV1.cab

Then ran the command...
cmd.exe /C expand "C:\Documents and Settings\All Users\Application
Data\AV1\AV1.cab"
"C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe"Then
ran the command...
"C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe"
autostart

Years ago I suggested that *all* files should be scanned because malware
could take the form of text in a text file. While the text file itself
wouldn't be dangerous, I suggested that known malware could be encoded
within, and a command or a program could decode and execute the malware.
I was told by several experts that it would be the program or the
command that would need to be detected - not the text file as the text
file in question only *contains* the malware - and there exists a
prerequisite malware to remove it from its container and execute it -
why is this so different?

I can understand content in an archive being a threat, if the extracted
malware doesn't get written to a file (thus avoiding a scan) before
being executed like, if I understand it correctly, Java does or did. I'm
sure I'm not telling you anything new, but the fact that I can write a
script to send a text file to debug and *execute* it does not mean that
..txt should be on a list of extensions to scan - it is the script that
should be detected as malware.

If I'm wrong in this, then it brings me around full circle to what I was
proposing ten years ago.


.



Relevant Pages

  • Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
    ... | list of extensions that are worthy of being scanned. ... | Shouldn't the 'on access' scanner catch them when they are extracted? ... | Years ago I suggested that *all* files should be scanned because malware ... and a command or a program could decode and execute the malware. ...
    (microsoft.public.security.virus)
  • Re: Trojan horse Downloader.Generic.ML
    ... > scanner vendor can be expected to get an update done and distributed ... > users before malware has executed on their PC. ... In some cases they could add detection for exploit code which was ... reason for a user to execute every damned executable they see when they ...
    (comp.security.firewalls)
  • Re: Trojan horse Downloader.Generic.ML
    ... > scanner vendor can be expected to get an update done and distributed ... > users before malware has executed on their PC. ... In some cases they could add detection for exploit code which was ... reason for a user to execute every damned executable they see when they ...
    (alt.computer.security)
  • Re: Generic Host Process for Win32 Services
    ... Enquire, plan and execute ... "Tonyo UK" wrote: ... CNCL4100.DLL is revealed as a Canon file related to my All-In-One ... I don't see this as a malware problem, ...
    (microsoft.public.windowsxp.general)
  • Re: Spy Sweeper vs. Spybot Search and Destroy
    ... Real-time AV applications - for viral malware. ... Disable the e-mail scanning function during installation (Custom ... Why You Don't Need Your Anti-Virus Program to Scan Your E-Mail ... (add them to your arsenal and use them as a "second opinion" av scanner). ...
    (microsoft.public.windowsxp.general)