Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!casbah.acns.nwu.edu!nucsrl!tellab5!laidbak!obdient!homer!syzzle!system From: system@syzzle.chi.il.us (awol) Newsgroups: comp.binaries.ibm.pc.d Subject: Re: LHA212JP.EXE .lzh archiver at garbo.uwasa.fi Keywords: japan lha Message-ID: Date: 26 Apr 91 17:37:18 GMT References: Organization: System Solutions - Wheaton, Il. Lines: 29 dfs@doe.carleton.ca (David F. Skoll) writes: > Not quite. Here's the problem: Suppose a self-extracting archive "A" > contains a file "F" which is contaminated with known virus. When you first > scan "A", you will not detect the virus, since "F" is compressed. So you > innocently execute "A", which unpacks "F" and then... > > Someone has modified "A" so that after unpacking "F", it immediately executes > it. This is a seemingly innocent operation which most virus scanners will > not catch! If you make a scanner which catches all attempts to execute > a file named "F", you might catch a lot of legitimate software. > > The whole problem is that a self-extracting archive has the potential to > execute unpacked files before you've had a chance to scan them. There is one possible help for this, an that is the device driver included in the F-PROT package. It will not allow any program which contains a known virus to execute. I have *seen* it prevent infections on 2 seperate occasions. On one of these occasions the infected file was one of the files contained in PKZ110.EXE (which is a self extracting ZIP file). When trying to execute this, F-DRIVER displayed a message saying that a certain virus was detected, and then said 'permission denied', and would not execute!!! I can highly recomend this program! It is installed at boot, and then forget about it (until you need it!!!). +------------------------+-----------------------------------+ | Al Oomens (awol) | Inside every LARGE program is | | awol@syzzle.chi.il.us | a small program trying to get out.| +------------------------+-----------------------------------+