[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-virus
Subject: Re: Scanning file extensions or all files
From: "Nick FitzGerald" <nick () virus-l ! demon ! co ! uk>
Date: 2001-07-31 22:19:38
[Download RAW message or body]
Bognar Norbert <nbognar@icon.hu> replied to me:
> N> How long is it since I told everyone they should be scanning all
> N> files and *not* depending on the archaic and fundamentally flawed
> N> "files of 'executable' type as determined from the filename
> N> extension" method??
>
> I wouldn't call it flawed, ...
You are, of course, welcome to your flawed opinion, but it is a flaw
and has been for as long as there have been other "normal" ways to
launch code (be it binary executable, document macros or whatever)
that does not depend on the usual (for the Windows environment)
methods that are associated with "normal" extension-based file
typing.
> ... as the scanning engines are not able to
> scan all file types anyway. ...
So?
> ... If you read a whatsnew file of a new
> scanning engine release from any vendor, you can usually see some
> notes like "improved the scanning of VBS files and added detection for
> SBF files" for example. ...
So?
> ... Of course you can scan all files, but to no
> avail as let's say a gif file won't be scanned anyway, it won't
> contain malware ...
You really did miss the bus on this whole issue, didn't you?
On a Windows machine with Microsoft Office (at least any version
since Word v6.0 -- I've not tested with earlier versions but suspect
it works all the way back to WinWord v1.0) rename a DOC file so it
has any unregistered extension (including no extension).
Double-click it. What happens? It opens in Word. Remember that
versions of Word prior to v7.0c (Word 95 revision c) opened Word
documents with macros without any warning about the presence of the
macros? Since then there have been all manner of "tricks" to fool
the unwary or insufficiently suspicious into "running" some code when
it appeared they would not be. Many, many of these have involved
"mis-naming" files of known types because the "attacker" knew that
the OS (or more correctly, Explorer) would see past the naming
subterfuge and act on the file by its real type as determined by its
contents.
If you depend on your scanner *not* doing what the OS is doing, your
scanner *will* miss stuff it should be able to catch. However, to
catch that stuff, it has to look at all the files your OS will look
at which is -- ta da... -- *all files*.
> ... and scanning all files all the time will be a great
> performance hit ...
It also appears you don't understand how such scanning works. Modern
virus scanning is *not* a dumb grunt scan of a file from beginning to
end looking for strings of characters that are deeemed indicative of
the presence of a virus. If it was, believe me, *no-one* would use a
virus scanner! Competent scanners look at the file's contents, work
out what kind(s) of file it could be then scan it in ways appropriate
to those types. That is why setting "scan all files" does not add a
terrible overhead to competent scanners. That is why I recommend you
do it. If your chosen scanner grinds to halt because of this then
consider another scanner.
> ... (which usually means users switching off the
> realtime protection or complaining about slowdowns). ...
If your users can turn off the realtime component of your virus
scanner then you have much bigger problems than that you have chosen
to base your virus "defense" mechanism on scanning, which has
always been a poor technological choice for that purpose.
> ... Of course this means your
> extension list must be up to date, .
How do you make your favourite scanner scan extensionless files?
(Oh, sorry -- you don't understand why you might want to do that?
Remember the Word example above? I said "any unregistered extension"
which means *any including none*. If you think that's silly, try
answering for yourself "What file extension will Word documents sent
to us by a typical Macintosh user have?) Fortunately for you, most
scanner developers have decided the best way to handle this is to
prevent you having to consider it and they scan all extensionless
files regardless of any setiings anywhere in the program.
> ... which is quite a tedious task to
> do. ...
So set "all files" and stop worrying...
> ... I saw recently NAI implemented an option in their Virusscan
> product, where you can opt for scanning all files which the scanning
> engine can handle at all. You don't have to specify extensions, as the
> product will handle the list automatically. I think this is the right
> solution (for the desktop protection, scanning gateways or groupware
> servers is a different question of course).
This is a better approach, but if it does not work by checking the
contents of each file (i.e. if it is not "smart file typing"
technology) then it is not good enough.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic