This is the mail archive of the cygwin@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: 2/13 PM NAV update

From: Randall R Schulz <rrschulz at cris dot com>
To: Bill Siegmund <ctc-dsl at pacbell dot net>, lee dot 1801 at osu dot edu
Cc: cygwin at cygwin dot com
Date: Wed, 13 Feb 2002 22:33:17 -0800
Subject: Re: 2/13 PM NAV update

Bill,

A better way to detect an alteration to a program is to use the "sum" 
command to generate a checksum. As I mentioned in my first resonse to Hong 
Xun, sum on my installed copy of the 1.3-6 cygz.dll yields this:

% sum /bin/cygz.dll
19649    50

For the 1.3-6 version the result is:

% sum cygz.dll
04409    49

I did another LiveUpdate of my NAV virus descriptions (getting 30 new 
definitions, as you pointed out) and ran it on the 1.3-7 (latest) cygz.dll 
and still got no "hit." However, the new descriptions do seem to detect the 
"Backdoor Egghead" virus in the 1.3-6 version of cygz.dll.

I am dubious that that DLL is really infected with a virus...Surely the 
pattern detection of NAV is susceptible to false positives, no?

There's another interesting thing here: Clicking the "Virus Info..." button 
in the detection notification dialog displays a virus information dialog 
that, among other things, says that the virus length is 0 (zero) bytes. How 
dangerous could and empty "virus" be?

Not that it matters, I'm not using that DLL and am unlikely to "downgrade" 
to it.

I'd be mildly interested in a full and complete explanation of what's going 
on here, but I'm not going to lose any sleep over it or investigate any 
further.

Randall Schulz
Mountain View, CA USA

At 22:03 2002-02-13, Bill Siegmund wrote:
>Hongxun & Randall,
>
>This morning my NAV was still current as of 2/7 and protecting me against 
>58723 viruses.
>
>'Round 4PM PST I got an update that made me current as of 2/13 and saw the 
>count of viruses jump by 30.
>
>And after that the two CYGZ.DLLs on my disks began to be flagged as 
>infected by the Backdoor Egghead virus.
>
>I deleted them and did a complete scan that turned up _no_ infected files.
>
>On running "setup",  I got a version of CYGZ.DLL that the current version 
>of NAV considers clean.
>
>For  the record it is dated 1/20/02 11:42a and contains 50,688 Bytes.
>
>Bill Siegmund
>Cal-Tex Computers, Inc.
>1080 Rebecca Dr.
>Boulder Creek, California 95006

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]