JPINSON@uga.cc.uga.edu (Jim Pinson) (03/16/91)
I know some of the virus scanners will look within executable files that have been compressed with LZEXE. I believe they scan both before and after expansion. Lately I have been using PKLITE to compress executables, and wonder if any Virus scanners are capable of looking within the compressed files. Does anyone have any info on the subject? Thanks. Jim Pinson University of Georgia
mrs@netcom.COM (Morgan Schweers) (03/21/91)
JPINSON@uga.cc.uga.edu (Jim Pinson) writes: >I know some of the virus scanners will look within executable files >that have been compressed with LZEXE. I believe they scan both before >and after expansion. Specifically we decompress partially in memory and check for the virus in the decompressed code as well as doing a standard check on the outside of the file. >Lately I have been using PKLITE to compress executables, and wonder if >any Virus scanners are capable of looking within the compressed files. > >Does anyone have any info on the subject? > >Thanks. > >Jim Pinson University of Georgia Greetings, I've spent a long amount of time attempting to provide PKLITE protection, but the method used for compression makes it difficult. I've attempted to talk to Phil Katz about the problem, but I've met a stonewall. I don't have enough knowledge of compression techniques to be able to decompress the code at any reasonable rate of speed. For right now, the only thing I can suggest is to PKLITE -X the files, scan them, and re-PKLITE them. This is, IMHO, a serious security problem. I will point out that the author of LZEXE was quite willing to work with us when the problem was pointed out. I'm sure Mr. Katz would also be, if he considered it a problem. As a general policy, do you think that it would be better to warn users that a file is PKLITE'ed and unscanable or to simply ignore it? Another problem is that PKWare is planning on coming out with a 'professional' version of the program which includes an encryption portion that can not be -X'ed. -- Morgan Schweers +------- All opinions stated herein are the author's only. So there. Neh! I *AM* mrs@netcom.com and ms@albert.ai.mit.edu. One or the other *WILL* reach me. Enjoy!
75300.730@CompuServe.COM (PKWARE Inc.) (03/22/91)
McAffee's scan program will support PKLITE'd files in the future. Doug - -- Douglas Hay PKWARE Inc. 75300.730@CompuServe.COM
p1@arkham.wimsey.bc.ca (Rob Slade) (03/23/91)
JPINSON@uga.cc.uga.edu (Jim Pinson) writes: > Lately I have been using PKLITE to compress executables, and wonder if > any Virus scanners are capable of looking within the compressed files. None of the products I have received so far will "scan" into files compressed with other than LZEXE. I have seen some "front end" utilities which will "use" SCAN and PKUNZIP (if you have them in your "path") to scan .ZIP files. ============= Vancouver p1@arkham.wimsey.bc.ca | You realize, of Institute for Robert_Slade@mtsg.sfu.ca | course, that these Research into (SUZY) INtegrity | new facts do not User Canada V7K 2G6 | coincide with my Security | preconceived ideas
p1@arkham.wimsey.bc.ca (Rob Slade) (03/23/91)
mrs@netcom.COM (Morgan Schweers) writes: > As a general policy, do you think that it would be better to warn > users that a file is PKLITE'ed and unscanable or to simply ignore it? > Another problem is that PKWare is planning on coming out with a > 'professional' version of the program which includes an encryption > portion that can not be -X'ed. In INtegrity, I have been asked many times to make all files "self-extracting". I have consistently refused on the grounds that self-extracting files are an undesirable and unnecessary security risk. ============= Vancouver p1@arkham.wimsey.bc.ca | You realize, of Institute for Robert_Slade@mtsg.sfu.ca | course, that these Research into (SUZY) INtegrity | new facts do not User Canada V7K 2G6 | coincide with my Security | preconceived ideas
c-rossgr@uunet.uu.net (04/09/91)
>Date: Fri, 15 Mar 91 16:12:59 -0500 >From: Jim Pinson <JPINSON@uga.cc.uga.edu> > >I know some of the virus scanners will look within executable files >that have been compressed with LZEXE. I believe they scan both before >and after expansion. > >Lately I have been using PKLITE to compress executables, and wonder if >any Virus scanners are capable of looking within the compressed files. > >Does anyone have any info on the subject? Jim, by the time you read this the next demo version of the Virex-PC scanner should be available. Virex-PC now handles PKLITE compressed files as well as LZEXE compressed files. Next step: LH compressed and .ZIP files. I should have responded to this earlier, but I've been in "one-last-bug" mode for the last month. The demo gets released today - -- just writing the final cut of the docs for it. The old one handled 150 strings, this one handles 350. The old one was faster, so's this one. Grab a copy, and lemme know what you think? Oh! I convinced The Powers That Be at Microcom to let me release monthly (or near monthly) updates of the free scanner. Stay tuned! Ross M. Greenberg Author, Virex-PC & FLU_SHOT+