Nonsecurity: CanIt Virus Scanner
This post was originally published on August 15, 2007 at 3:26 PM.
Yesterday I received a .jar file1 that had been forwarded to me via e-mail. While reading the message, this caught my eye:
***********************
Warning: Your file, SeeLogo.jar, contains more than 32 files after decompression and cannot be scanned.
***********************
Apparently all it takes to defeat this e-mail virus scanner is sticking your malware in a zip archive alongside 32 empty text files. Even though the archive is tiny, the scanner will give up merely because of the file count in the header.
I’ve not yet identified the guilty software, but I’ll update this post when I do.
Update: According to the X-Scanned-By header, the culprit seems to be CanIt. Their Anti-Virus Options page mentions that it “can look inside .zip file attachments to detect and eliminate harmful e-mail attachments that are hidden inside.” Except, of course, those that are hidden alongside a handful of other files.
-
A .jar file is a .zip archive that contains a set of Java classes and resources. ↩
August 16th, 2007 at 3:40 pm
That’s incredibly lazy programming. I guess one couldn’t realistically scan every file and sub-file that passes through email, but at least read file lengths and ignoring smallish files! Be sure to yell at the company when you discover what program is so negligent.