[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-virus
Subject:    Re: Scanning file extensions or all files
From:       "Nick FitzGerald" <nick () virus-l ! demon ! co ! uk>
Date:       2001-07-31 22:19:38
[Download RAW message or body]

Bognar Norbert <nbognar@icon.hu> replied to me:

> N> How long is it since I told everyone they should be scanning all
> N> files and *not* depending on the archaic and fundamentally flawed 
> N> "files of 'executable' type as determined from the filename 
> N> extension" method??
> 
> I wouldn't call it flawed, ...

You are, of course, welcome to your flawed opinion, but it is a flaw
and has been for as long as there have been other "normal" ways to
launch code (be it binary executable, document macros or whatever)
that does not depend on the usual (for the Windows environment)
methods that are associated with "normal" extension-based file
typing.

> ... as the scanning engines are not able to
> scan all file types anyway.  ...

So?

> ...  If you read a whatsnew file of a new
> scanning engine release from any vendor, you can usually see some
> notes like "improved the scanning of VBS files and added detection for
> SBF files" for example. ...

So?

> ...  Of course you can scan all files, but to no
> avail as let's say a gif file won't be scanned anyway, it won't
> contain malware ...

You really did miss the bus on this whole issue, didn't you?

On a Windows machine with Microsoft Office (at least any version 
since Word v6.0 -- I've not tested with earlier versions but suspect 
it works all the way back to WinWord v1.0) rename a DOC file so it 
has any unregistered extension (including no extension).  
Double-click it.  What happens?  It opens in Word.  Remember that 
versions of Word prior to v7.0c (Word 95 revision c) opened Word 
documents with macros without any warning about the presence of the 
macros?  Since then there have been all manner of "tricks" to fool 
the unwary or insufficiently suspicious into "running" some code when 
it appeared they would not be.  Many, many of these have involved 
"mis-naming" files of known types because the "attacker" knew that 
the OS (or more correctly, Explorer) would see past the naming 
subterfuge and act on the file by its real type as determined by its 
contents.

If you depend on your scanner *not* doing what the OS is doing, your 
scanner *will* miss stuff it should be able to catch.  However, to 
catch that stuff, it has to look at all the files your OS will look 
at which is -- ta da... -- *all files*.

> ... and scanning all files all the time will be a great
> performance hit ...

It also appears you don't understand how such scanning works.  Modern 
virus scanning is *not* a dumb grunt scan of a file from beginning to 
end looking for strings of characters that are deeemed indicative of 
the presence of a virus.  If it was, believe me, *no-one* would use a 
virus scanner!  Competent scanners look at the file's contents, work 
out what kind(s) of file it could be then scan it in ways appropriate 
to those types.  That is why setting "scan all files" does not add a 
terrible overhead to competent scanners.  That is why I recommend you 
do it.  If your chosen scanner grinds to halt because of this then 
consider another scanner.

> ... (which usually means users switching off the
> realtime protection or complaining about slowdowns).   ...

If your users can turn off the realtime component of your virus 
scanner then you have much bigger problems than that you have chosen 
to base your virus "defense" mechanism on scanning, which has 
always been a poor technological choice for that purpose.

> ...  Of course this means your
> extension list must be up to date, .

How do you make your favourite scanner scan extensionless files?
(Oh, sorry -- you don't understand why you might want to do that?
Remember the Word example above?  I said "any unregistered extension"
which means *any including none*.  If you think that's silly, try 
answering for yourself "What file extension will Word documents sent 
to us by a typical Macintosh user have?) Fortunately for you, most 
scanner developers have decided the best way to handle this is to 
prevent you having to consider it and they scan all extensionless 
files regardless of any setiings anywhere in the program.

> ... which is quite a tedious task to
> do.  ...

So set "all files" and stop worrying...

> ...  I saw recently NAI implemented an option in their Virusscan
> product, where you can opt for scanning all files which the scanning
> engine can handle at all. You don't have to specify extensions, as the
> product will handle the list automatically. I think this is the right
> solution (for the desktop protection, scanning gateways or groupware
> servers is a different question of course).

This is a better approach, but if it does not work by checking the 
contents of each file (i.e. if it is not "smart file typing" 
technology) then it is not good enough.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

[prev in list] [next in list] [prev in thread] [next in thread]