Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- From: "FromTheRafters" <erratic@xxxxxxxxxxxxxxxxx>
- Date: Sat, 21 Feb 2009 19:36:57 -0500
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:u5eCLQHlJHA.4344@xxxxxxxxxxxxxxxxxxxxxxx
From: "FromTheRafters" <erratic@xxxxxxxxxxxxxxxxx>
| Any kind of advice?
| Okay, go into the AV's configuration and set it to use the file
| extensions list instead of the "smart" one that even bothers to scan
| cabinet files.
| Maybe you can find an AntiVir forum somewhere that can give you a
custom
| list of extensions that are worthy of being scanned.
CAB files are indee worthy of being scanned !
Often malware will come in a .CAB (cabinet files) others may use a
different extension
such as DAT and use the EXPAND command to extract the executable from
thae CAB file.
Shouldn't the 'on access' scanner catch them when they are extracted? Or
is this all done inside a process like the extraction from java jars? If
e-mail scanning is over the top redundant, isn't scanning within
containers also?
Others come in the form of self extracting cabinet files.
Example:
The file; AntiVirusInstaller.exe
Yeah, but that's an exe - and we know exes should be scanned.
Downloaded
C:\Documents and Settings\user\Local Settings\Temporary Internet
Files\Content.IE5\BNPHK11H\AV1[2].CAB
Saved as...
C:\Documents and Settings\All Users\Application Data\AV1\AV1.cab
Then ran the command...
cmd.exe /C expand "C:\Documents and Settings\All Users\Application
Data\AV1\AV1.cab"
"C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe"Then
ran the command...
"C:\Documents and Settings\All Users\Application Data\AV1\AV1.exe"
autostart
Years ago I suggested that *all* files should be scanned because malware
could take the form of text in a text file. While the text file itself
wouldn't be dangerous, I suggested that known malware could be encoded
within, and a command or a program could decode and execute the malware.
I was told by several experts that it would be the program or the
command that would need to be detected - not the text file as the text
file in question only *contains* the malware - and there exists a
prerequisite malware to remove it from its container and execute it -
why is this so different?
I can understand content in an archive being a threat, if the extracted
malware doesn't get written to a file (thus avoiding a scan) before
being executed like, if I understand it correctly, Java does or did. I'm
sure I'm not telling you anything new, but the fact that I can write a
script to send a text file to debug and *execute* it does not mean that
..txt should be on a list of extensions to scan - it is the script that
should be detected as malware.
If I'm wrong in this, then it brings me around full circle to what I was
proposing ten years ago.
.
- Follow-Ups:
- Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- From: David H. Lipman
- Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- References:
- Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- From: Ulf . Kriemeyer
- Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- From: FromTheRafters
- Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- From: David H. Lipman
- Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- Prev by Date: Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- Next by Date: Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- Previous by thread: Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- Next by thread: Re: Avira Free Antivir suspects 5 *.CAB Files to contain malicious Code
- Index(es):
Relevant Pages
|
