zip bombs and virus"Mal/Packer"

Hi there

I've just used the "multi av" scanner on my PC and run all the vendors with
the exception of Sophos reporting *14 viruses "Mal/Packer" which all happen
to be keygens for one thing or another. I'm pretty sure these were all false
positives although They were automatically deleted.

(Copied and pasted from David H. Lipman a googled post)
"MAL/packer is Sophos' heuristic detection of Trojans using new compression
agents known to
be used by malware. Sophos will use this Heuristic detection until the
Trojan is fully
identified and a signature is created."
So does this mean all keygens will give this response under Sophos?

Also reported was 9 "Appears to be" zip bombs....(3) ".part" files (3)
".iso" (1) ".rar" (1) ".bin" and (1) ".avi" From my understanding zip bombs
are made for disruption for AV Prog's and don't run any code or damage your
machine is that right?
I must determine whether or not these are false positives too, I understand
extensions can be renamed to fool AV Progs, but I ran the .avi file, which
indeed was a film so I'm sure that's a false positive, but for the rest how
does one determine whether these are what Sophos reports as "Appears to be"
zip bombs?

http://en.wikipedia.org/wiki/Zip_bomb

http://www.sophos.com/security/analyses/malpacker.html

--

--


Regards
p.mc

From: "p.mc" <nothanks.ok>

| Hi there
|
| I've just used the "multi av" scanner on my PC and run all the vendors with
| the exception of Sophos reporting *14 viruses "Mal/Packer" which all happen
| to be keygens for one thing or another. I'm pretty sure these were all false
| positives although They were automatically deleted.
|
| (Copied and pasted from David H. Lipman a googled post)
| "MAL/packer is Sophos' heuristic detection of Trojans using new compression
| agents known to
| be used by malware. Sophos will use this Heuristic detection until the
| Trojan is fully
| identified and a signature is created."
| So does this mean all keygens will give this response under Sophos?
|
| Also reported was 9 "Appears to be" zip bombs....(3) ".part" files (3)
| ".iso" (1) ".rar" (1) ".bin" and (1) ".avi" From my understanding zip bombs
| are made for disruption for AV Prog's and don't run any code or damage your
| machine is that right?
| I must determine whether or not these are false positives too, I understand
| extensions can be renamed to fool AV Progs, but I ran the .avi file, which
| indeed was a film so I'm sure that's a false positive, but for the rest how
| does one determine whether these are what Sophos reports as "Appears to be"
| zip bombs?
|
| http://en.wikipedia.org/wiki/Zip_bomb
|
| http://www.sophos.com/security/analyses/malpacker.html
|
| --
|


Using the Sophos module it may declare a large ciompressed file such as a; ISO file, Ghost
file or PST as a "Zip Bomb", This is most likely a False detection.

Yep. that was a good quote and I affirm the quote on Sophos' gheuristic detection.
Keygenerators are malware.

I would say the "Zip Bomb" dection are mostly false. The Mal/packer detections may be
righteous detections.

Sophos now has a switch to disable the detection of "Zip Bombs" I al strongly considering
implementing it.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:ensszCQCHHA.4740@TK2MSFTNGP03.phx.gbl...
> From: "p.mc" <nothanks.ok>
>
> | Hi there
> |
> | I've just used the "multi av" scanner on my PC and run all the vendors
with
> | the exception of Sophos reporting *14 viruses "Mal/Packer" which all
happen
> | to be keygens for one thing or another. I'm pretty sure these were all
false
> | positives although They were automatically deleted.
> |
> | (Copied and pasted from David H. Lipman a googled post)
> | "MAL/packer is Sophos' heuristic detection of Trojans using new
compression
> | agents known to
> | be used by malware. Sophos will use this Heuristic detection until the
> | Trojan is fully
> | identified and a signature is created."
> | So does this mean all keygens will give this response under Sophos?
> |
> | Also reported was 9 "Appears to be" zip bombs....(3) ".part" files (3)
> | ".iso" (1) ".rar" (1) ".bin" and (1) ".avi" From my understanding zip
bombs
> | are made for disruption for AV Prog's and don't run any code or damage
your
> | machine is that right?
> | I must determine whether or not these are false positives too, I
understand
> | extensions can be renamed to fool AV Progs, but I ran the .avi file,
which
> | indeed was a film so I'm sure that's a false positive, but for the rest
how
> | does one determine whether these are what Sophos reports as "Appears to
be"
> | zip bombs?
> |
> | http://en.wikipedia.org/wiki/Zip_bomb
> |
> | http://www.sophos.com/security/analyses/malpacker.html
> |
> | --
> |
>
>
> Using the Sophos module it may declare a large ciompressed file such as a;
ISO file, Ghost
> file or PST as a "Zip Bomb", This is most likely a False detection.
>
> Yep. that was a good quote and I affirm the quote on Sophos' gheuristic
detection.
> Keygenerators are malware.
>
> I would say the "Zip Bomb" dection are mostly false. The Mal/packer
detections may be
> righteous detections.
>
> Sophos now has a switch to disable the detection of "Zip Bombs" I al
strongly considering
> implementing it.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Thank's Dave

BTW I've responded in a.c.v too.

--


Regards
p.mc