From: Dustin Cook on
http://www.itworld.com/security/90249/ignore-microsoft-check-everything?
source=peer2peerpromo


--
"Is there anything in Guul Draz that doesn't suck the life out of you?"
- Tarsa, Sea Gate sell-sword.

From: FromTheRafters on
"Dustin Cook" <bughunter.dustin(a)gmail.com> wrote in message
news:Xns9D02121AB16ACHHI2948AJD832(a)69.16.185.250...
> http://www.itworld.com/security/90249/ignore-microsoft-check-everything?
> source=peer2peerpromo

It's another case of terminology problems I think.

If the filetype is non-executable - it *cannot* be infected so there is
no need to scan it for *viruses*.

....now if you define virus more widely (to include worms) infection has
little to do with it and non-executable files should be scanned - binary
data in the registry even becomes a hiding place for code. You might as
well include trojans in the mix, because replication is irrelevant to
whether or not a file should be scanned by an antimalware application.

Now the question is if you trust Microsoft to know which filetypes (of
their own creation) are executable and which are not (remembering WMF).


From: Ant on
"FromTheRafters" wrote:

> Now the question is if you trust Microsoft to know which filetypes (of
> their own creation) are executable and which are not (remembering WMF).

Yes, indeed but such files are not "executables" in the way that exe
and dll files are. However, it's wise to check these other types, not
for "viruses", but for malformed headers, abnormal structure, etc.
which might indicate the presence of an exploit.

Also, you can't rely on file extensions to determine the type. A file
named "runme.txt", for example, will not be opened by notepad if it's
really an executable (with an 'MZ' and 'PE' header) and the full name
is typed at a command prompt. It will be run the same way as any
conventionally named exe file.

This means that all files should be opened and read by a scanner,
regardless of extension, in order to check their format even if no
further scanning is done on a particular file.


From: FromTheRafters on

"Ant" <not(a)home.today> wrote in message
news:ceWdnY7D0pbz08_WnZ2dnUVZ7sydnZ2d(a)brightview.co.uk...
> "FromTheRafters" wrote:
>
>> Now the question is if you trust Microsoft to know which filetypes
>> (of
>> their own creation) are executable and which are not (remembering
>> WMF).
>
> Yes, indeed but such files are not "executables" in the way that exe
> and dll files are.

The WMF filetype example was designed to be, but many assumed it was
not.

> However, it's wise to check these other types, not
> for "viruses", but for malformed headers, abnormal structure, etc.
> which might indicate the presence of an exploit.

The 'list' referred to (and linked to) on that site suggested that these
files were not "infectable" by "viruses" and you need not scan them for
"viruses". They didn't make it clear that other kinds of malware
scanning software may have a need to scan them.

Unfortunately, there is the possibility that those experts use the term
"viruses" to mean malware - in which case it would be wrong to exclude
any filetypes.

> Also, you can't rely on file extensions to determine the type.

That was mentioned on the MS page ISTR.

> A file
> named "runme.txt", for example, will not be opened by notepad if it's
> really an executable (with an 'MZ' and 'PE' header) and the full name
> is typed at a command prompt. It will be run the same way as any
> conventionally named exe file.

Certain extensions have special meanings to the OS (or associations set
in the registry), but the actual format is what they refer to.

> This means that all files should be opened and read by a scanner,
> regardless of extension, in order to check their format even if no
> further scanning is done on a particular file.

Malware scanners, yes.

The idea that certain filetypes and/or directories can be safely
excluded from malware scanning is too 'brain-dead' an idea even for
Microsoft.

....isn't it..?

Viruses, on the other hand, cannot infect non-executables, so
non-executable filetypes need not be searched for them.


From: David H. Lipman on
From: "FromTheRafters" <erratic(a)nomail.afraid.org>


< snip >

| Viruses, on the other hand, cannot infect non-executables, so
| non-executable filetypes need not be searched for them.

No but they can be hidden or contained within through such techniques as steganography.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp