Extensions...which to scan on access?

Discussion in 'other security issues & news' started by QBgreen, Feb 21, 2005.

Thread Status:
Not open for further replies.
  1. QBgreen

    QBgreen Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    627
    Location:
    Queens County, NY
    It appears that many if not most A/V firms suggest that all file extensions be scanned to ensure thorough security. While I agree that this makes sense for an on demand scan, many products (F-Secure comes to mind) can noticeably slow down even a relatively powerful machine if all extensions are scanned on access. So, this leads me to ask if anyone has what they feel is a proper list of extensions that should be used for on access scanning.
     
  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
  3. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    I'm using the ones supplied by default by NOD32, plus any of the additional ones noted on the link provided by Meneer (thanks!). Here is the list I have so far:
    Code:
    ade          dll          ksh          ov?          swf
    adp          doc          lnk          pcd          sys
    app          dot          md?          pdf          the
    asp          elf          mdb          php          theme
    bas          eml          mde          pif          url
    bat          exe          mdt          pot          vb
    cgi          fxp          mdw          pp?          vbe
    chm          hlp          mpp          prc          vbs
    cla          hta          mpt          prg          vsd
    class        htm          msc          reg          vxd
    cmd          html         msi          rtf          wsc
    com          htt          mso          scr          wsf
    cpl          inf          msp          sct          wsh
    crt          ini          mst          sh           xl?
    csc          ins          nws          shb          {*
    csh          js           ocx          shs
    css          jse          ops          src
    I hope the table doesn't wrap improperly... :doubt:
     
  4. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    I'm scanning everything. If people begin to only protect against certain files, virus creators will only try and make the viruses in a different format.

    Jimbob
     
  5. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    He's right guys. I've seen extensionless infected files and files which come in filetypes which are ignored by my eScan by default (CAB, JAR, LHA etc.)
     
  6. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Part of me definitely agrees, but part of me disagrees as well. I can see both sides.

    Really the virus writers aren't in control of this situation, they have to take advantage of whatever paths of execution exist on the machine. That is, the OS itself or some application has to either load the executable or parse the executable scripts or macros. So really there is only a finite number of avenues of execution on a machine at any given time. It's not like virus writers can just call their creation *.xyz and get it to infect your machine (not, that is, unless they can get you to rename it to some other extension that will be executed).

    The problem, though, is that you never know when Microsoft or some 3rd party developer might add macro parsing or script parsing to their application which can then be used maliciously. And, so, keeping up with all of these newly created avenues of execution is a daunting task. A task most people will not wish to pursue, and probably rightly so. I definitely respect the decision to just scan everything as a result.

    However, I'm willing to take the calculated risk and just scan the above extensions on a resident basis and reserve the "everything" scan for my on-demand scanning. That way, my resident scanner won't scan things like .wma, .mp3, or .m4a. I don't want it trying to scan my music files, it will just slow down Media Player and iTunes. Now, if iTunes ever tries to incorporate some whacky script execution scheme in their file formats... I'm screwed. ;)

    [Edit: As far as the archives, to the best of my knowledge, they always have to be unpacked before anything could execute as result. So the resident scanner should always pick up whenever cab, zip, rar, etc. has malware that you are about to execute. Now, if you just download the archive and store it on your drive for future access, definitely some malware could be hiding in there... but I will catch that later during my exhaustive, all-options-set on-demand scans. That's just the way I do things. But I respect doing it the other way as well if you are willing to live with the slightly extra overhead.]
     
Loading...
Thread Status:
Not open for further replies.