ZIP bomb vulnerability!?

Discussion in 'NOD32 version 2 Forum' started by obetz, Jan 31, 2007.

Thread Status:
Not open for further replies.
  1. obetz

    obetz Registered Member

    Joined:
    Jan 31, 2007
    Posts:
    9
    Hello All,

    it seems that NOD32 tries to decompress every file in an archive bomb.

    I can't believe this - anything I'm missing or is it true?

    Oliver
     
    obetz, Jan 31, 2007
    #1
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    NOD32 detects some archive bombs by a signature, it's impossible to detect them all somehow generically.
     
    Marcos, Jan 31, 2007
    #2
  3. obetz

    obetz Registered Member

    Joined:
    Jan 31, 2007
    Posts:
    9
    There are several possibilities to detect them, that's not rocket science.

    You can set several limits after which the scanner aborts:

    - execution time
    - nesting depth (that's what F-Prot implemented after my niggling )
    - total number of archives in the file

    And report the file as suspicious.

    I can recognize an archive bomb if I see it, and so should a virus scanner.

    Oliver
     
    obetz, Feb 1, 2007
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...