Re: Do we still need scheduled scan?

Shaffer, Bruce wrote:

> It sounds like a good idea to scan every file, but, why would you want to scan 
> things like TXT
> files or proprietary file formats that do not execute?  It's kind of
> like hunting for elephants at the North Pole.
>
>  
I just wanted to respond to this point.  This is, generally speaking, 
very good advice.  It's advice that I've been giving for years until 
recently.

The problem with it is discordance in the way that AV filters standard 
files and the way that MS Windows executes them.  Most AVs filter on the 
extension, whereas filtering based on fileheader would be a better 
method of doing the scanning.

Take the WMF file exploit, for instance.  WMF files are scanned for in 
the default file list, at least with my copy of McAfee.  However, .jpg 
and .gif files are not.  Here our problem begins to show itself.   The 
AV will bypass the file thinking that it's a "safe" file that can't be 
infected, when in fact IE will use the header to determine that the file 
is a WMF file and execute it that way.

Until recently, I haven't seen VXers using this kind of bypass but I'm 
noticing it more these days.  As such, I have to suggest that people use 
the less efficient "scan all files" method. 

It's "hard" to place blame on this one.  In a big way it's Microsoft's 
fault.  A WMF file mislabeled is malformed input and should be 
rejected.  At the same time, it's up to the AV company to work around 
architectural issues and create solutions that work with the 
infrastructure they're charged with protecting.

            -Barry