ZIP bomb vulnerability!?

Discussion in 'NOD32 version 2 Forum' started by obetz, Jan 31, 2007.

Thread Status:
Not open for further replies.
  1. obetz

    obetz Registered Member

    Joined:
    Jan 31, 2007
    Posts:
    9
    Hello All,

    it seems that NOD32 tries to decompress every file in an archive bomb.

    I can't believe this - anything I'm missing or is it true?

    Oliver
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    NOD32 detects some archive bombs by a signature, it's impossible to detect them all somehow generically.
     
  3. obetz

    obetz Registered Member

    Joined:
    Jan 31, 2007
    Posts:
    9
    There are several possibilities to detect them, that's not rocket science.

    You can set several limits after which the scanner aborts:

    - execution time
    - nesting depth (that's what F-Prot implemented after my niggling )
    - total number of archives in the file

    And report the file as suspicious.

    I can recognize an archive bomb if I see it, and so should a virus scanner.

    Oliver
     
Thread Status:
Not open for further replies.