Comments on: E-mail filtering service thinks zip file is infected with W32/Bagle virus

By: pineappleman

pineappleman — Thu, 03 Nov 2005 10:25:52 +0000

I would agree with your vendors claims.

You should check with the filtering service to see how to avoid a “false” positive, if it could be done without compromising a procedure or algorithm used to decipher.

By: sonyfreek

sonyfreek — Wed, 02 Nov 2005 19:00:19 +0000

If I were you, I’d still try changing the .zip extension to something innoculous, like .txt to test out the intelligence of the AV gateway. If it doesn’t verify it’s file format, then it probably should be upgraded to something more secure, although you might not be able to convince the admin to do that.

By: dkoch67

dkoch67 — Wed, 02 Nov 2005 09:06:49 +0000

Our filtering service responded to my support call and thinks it’s a false positive. Thanks for all your ideas and comments.

David

By: petkoa

petkoa — Wed, 02 Nov 2005 07:55:57 +0000

Hi,

zip-replacing worm isn’t something unthinkable, but I did’t hear any reports about something like this.

If your scanner is so specific about W32/Bagle.G I’ll not suppose problems with encrypted zip or too general rules, but about coincidental generation by the zipper of some bites resembling the Bagle.G signature of the AV product.

BR,

Petko

By: mlandes

mlandes — Wed, 02 Nov 2005 07:18:30 +0000

hi,
try looking at the following:
a. zip protected by password ?
b. the file names are identical to the common beagle characteristics such as subject or filenames or extensions or message body words etc etc.
thanks
moti

By: layer9

layer9 — Tue, 01 Nov 2005 23:11:49 +0000

I’m curious what your AV Gateway appliance or software is.

I have seen this error with several common AV gateway systems where .zip or .txt extensions, or both were filtered by default.

Do you have administrative control over this gateway? Can you confirm that these file extensions are not blocked anywhere on the system?

Chris Weber
Layer9corp.com

By: sonyfreek

sonyfreek — Tue, 01 Nov 2005 19:51:09 +0000

Does the message you get when you receive the email state that it was blocked due to an infection of the W32/Bagle.G Virus? We typically configure our virus protection to block *.zip files that are encrypted with a password or that cannot be opened by the virus scanner, but some admins block anything by the extension, such as *.zip files. It’s typically easy to get around by renaming the .zip file to .txt. Tell the user to change it to .zip when saving it to the disk and it’ll open up fine. Try that and see if you are successful. More than likely, it will work.

By: dkoch67

dkoch67 — Tue, 01 Nov 2005 16:42:23 +0000

Howard2nd,

They were zipping the files to group them into one attachment. Size was not the problem here. This is a situation where the vendor sends out updates on a frequent basis and the number of text files is not constant.

David