Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!news.cs.indiana.edu!cs.widener.edu!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: mrs@netcom.COM (Morgan Schweers) Newsgroups: comp.virus Subject: Re: PKLITE and hidden virus (PC) Message-ID: <0011.9103211827.AA22577@ubu.cert.sei.cmu.edu> Date: 20 Mar 91 18:30:32 GMT Sender: Virus Discussion List Lines: 46 Approved: krvw@sei.cmu.edu JPINSON@uga.cc.uga.edu (Jim Pinson) writes: >I know some of the virus scanners will look within executable files >that have been compressed with LZEXE. I believe they scan both before >and after expansion. Specifically we decompress partially in memory and check for the virus in the decompressed code as well as doing a standard check on the outside of the file. >Lately I have been using PKLITE to compress executables, and wonder if >any Virus scanners are capable of looking within the compressed files. > >Does anyone have any info on the subject? > >Thanks. > >Jim Pinson University of Georgia Greetings, I've spent a long amount of time attempting to provide PKLITE protection, but the method used for compression makes it difficult. I've attempted to talk to Phil Katz about the problem, but I've met a stonewall. I don't have enough knowledge of compression techniques to be able to decompress the code at any reasonable rate of speed. For right now, the only thing I can suggest is to PKLITE -X the files, scan them, and re-PKLITE them. This is, IMHO, a serious security problem. I will point out that the author of LZEXE was quite willing to work with us when the problem was pointed out. I'm sure Mr. Katz would also be, if he considered it a problem. As a general policy, do you think that it would be better to warn users that a file is PKLITE'ed and unscanable or to simply ignore it? Another problem is that PKWare is planning on coming out with a 'professional' version of the program which includes an encryption portion that can not be -X'ed. -- Morgan Schweers +------- All opinions stated herein are the author's only. So there. Neh! I *AM* mrs@netcom.com and ms@albert.ai.mit.edu. One or the other *WILL* reach me. Enjoy!