F-Prot DOS new version 312D

[null]

You seem to confirm my suspicions that it's the overambitious archive
probing that f-prot is choking on. Maybe not just WinRar, but something
about the way it tries to un-compress stuff.

All I know right now is that I can live with scanning my entire C:
drive if I take control of certain scan switches ... the ones I
mentioned in my post to Heather. If left to default settings where
F-Prot does a dumb- archive- packed scan, it does seem to choke up,
but not necessarily on zips or rars. I saw it choke up on my Moz email
trash bin ... seeming to take forever. But it doesn't crash. My crash
situation seems entirely different from yours, having to do only with
trying to invoke f-prot with no switches (user interface). But it's
not even doing that lately.

Why don't you try the E version again, and start off by using:

f-prot c:\*.* /noarchive /ext

and see if it doesn't go flying through the entire scan very quickly.

Then try:

f-prot c:\*.* /archive=1 /ext

then

f-prot c:\*.* /archive=1 /type

This last one is a bit slower (and a much better choice) than the
second one, but it doesn't take long to scan my entire drive.

And yes, there are some rar archived files on my h.d.


Art
http://www.epix.net/~artnpeg

 

[FromTheRafters]

On Fri, 19 Mar 2004 16:04:42 -0500, "Heather"


Don't you believe what Frisk wrote in the 314E.NEW file?

I don't know what he meant by that statement, but I think
it might have had more to do with how the engine "digs out"
the code to be compared to the definition, than to the ability
of the definition to match the code. After all, weren't those
the passworded w/bitmap variants. As long as the program
could identify the malware once I unzipped it and presented
it to the scanner - I couldn't care any less whether or not it
could algorithmically obtain the password itself from a bitmap.

Such features would be worthwhile in some environments
though.

 

[null]

I don't know what he meant by that statement, but I think
it might have had more to do with how the engine "digs out"
the code to be compared to the definition, than to the ability
of the definition to match the code. After all, weren't those
the passworded w/bitmap variants. As long as the program
could identify the malware once I unzipped it and presented
it to the scanner - I couldn't care any less whether or not it
could algorithmically obtain the password itself from a bitmap.

Such features would be worthwhile in some environments
though.

How do you know there aren't other malwares that won't be detected
when you abandon the latest version? That's my point, and I'm trying
to encourage Heather and Bart to give it another shot using command
line switches I've suggested.


Art
http://www.epix.net/~artnpeg

 

[FromTheRafters]

How do you know there aren't other malwares that won't be detected
when you abandon the latest version?

Right, you don't. I am just guessing that most of the engine
modifications are geared toward how it reveals the code
and not so much how it matches the code to the definition.

....again, I could be wrong.

That's my point, and I'm trying
to encourage Heather and Bart to give it another shot using command
line switches I've suggested.

Good suggestions, and it may help in the troubleshooting
process.

 

[charles]

Just appending to this thread

Running win2000

The problem I'm having with f-prot DOS is that both d and e no longer
redirect or tee to a log file properly.

Also kills off the cursor in a DOS window.

 

[Jan Il]

Hi ya Heather!

dead
on the oddest files. And went nuts on the Spybot recovery files.
Power Tools (old version 1.3) and my Startup List (which is not large).


Stopped dead.....period. Yes, I watched it scanning Paintshop Pro, which is
a large one......it pauses and takes longer. It didn't crash...no strange
looking error messages. But for some odd reason, when I hit Ctrl-Alt-Del to
see if it was 'not responding', that seemed to start it up again. Happened
4 or 5 times. So perhaps that is what you mean by a "hang".
doesn'tcause problems......can't be that hard to put it up on the website
until they sort out the problems.<<<

I suppose. Yet to use a different example, my Zone Alarm Pro is v. 2.6.361
and it works just fine. Version 3.xxx prevents most WinME computers from
making auto restore points.......version 4.xxx apparently has corrected
that. I have v.4.58 downloaded, just haven't put it on yet.

And yes, I know you don't use System Restore......but I do. (G) I don't
have your computer knowledge to fix problems.

Just a FYI.....I have the free version 4.5.538.001 installed, and Lord knows
the problems I have had with my WinME System Restore. But, I've not had any
problems with creating proper RP's since I updated to this version. You did
tell me to stay away from the 3.xx one and I did. But, I got an up date
notice one day, and since it was not the 3.xxx, I decided to give it a try.
;-))

Jan

 

[Fridrik Skulason]

It seems that F-Prot is able to scan inside upx-packed PE now?

Uhm. It is a bit more complicated. Scanning inside UPX packed
files is not going to be "officially" included in F-PROT until version
3.15 (which I expect will be the last of the 3.x series).

The DOS version of F-PROT (and usually 'fpcmd' too) has always used
the most up-to-date internal version of the engine, while the Windows
and Linux versions lag behind a little, simply because they have to go
through more thorough internal testing.

What this means in practice is that the DOS version may include
features not found in the "full" product, but there is a higher chance
for bugs in the DOS version.

This is what happened here. The DOS version has the UPX-unpacking
code, so it can scan inside UPX-packed files - something the Windows
version is not yet able to do. Unfortunately the DOS version also has
a bug - itmay crash on some RAR 3.x archive files (which will be fixed
very soon).

-frisk

 

[joke0]

Salut,

Fridrik Skulason:

[Bugs]

This is what happened here. The DOS version has the
UPX-unpacking code, so it can scan inside UPX-packed files -
something the Windows version is not yet able to do.

Have you planned to add unpacking code for other PE packers such as
FSG?

Unfortunately the DOS version also has a bug - itmay crash on
some RAR 3.x archive files (which will be fixed very soon).

Archives RARed with the best compression algorithms I've notice.

Thank you for all those nice informations

 

[Heather]

Hi ya Heather!


Just a FYI.....I have the free version 4.5.538.001 installed, and Lord knows
the problems I have had with my WinME System Restore. But, I've not had any
problems with creating proper RP's since I updated to this version. You did
tell me to stay away from the 3.xx one and I did. But, I got an up date
notice one day, and since it was not the 3.xxx, I decided to give it a try.
;-))

Thanks Jan.......glad to see you back. I will take your advice and
uninstall the v. 2 one and put the new one on. Herr Loon said he didn't
have a problem either......but you know him and his 'toys', grin.

Best.....Heather

 

[Jan Il]

Thanks Jan.......glad to see you back. I will take your advice and
uninstall the v. 2 one and put the new one on. Herr Loon said he didn't
have a problem either......but you know him and his 'toys', grin.

Been chasing Ghost Ships and navigating rolling fog banks... ;-)) Yeah..we
are lucky that HL takes pride in researching his 'toys' to the Nth degree.
<grin> Having read his various reports on the WinME groups, I decided to
give the 4.xxx at try when it came up. I updated not too long after my
latest ME reinstall. It's the first time in more than six months I've been
able to keep more than two RP's at a time. I now have about 2 weeks most of
the time with the 200 MB space setting.

Gimme a holler and lemme know how it works for ya. You mentioned that you
had the v.4.58, and the one I have is the v.4.5.538.001. Don't know that it
would make too much difference, but, ya never know. <g>

Have a good one...

Jan

 

[cquirke (MVP Win9x)]

In Message-ID:<[email protected]> posted on


That might be a clue Frisk can use to figure out where the glitch is
happening, I still haven't tried it on my 95b, but suspect the behavior
will be the same as your 98fe.

I'm sure this has occured to y'all, but if UI mode crashes in GUI, try
setting .pif to run full-screen (SVGA issues) and perhaps try boosting
memory allocations such as Environment. There's also CMD.EXE's
rollback feature to be mindful of, if NT.

I know F-Prot needs access to %Temp% (e.g. to extract archives), and
if this is re-directed to RAMdisk when scanning formally, the puny
RAMdisk size used by the Win98 EBD is a problem.

Can F-Prot for DOS be made mindful of free space issues when handling
archives? Thinking another mechanism for DoS attack, other than the
next-multiple-times-to-crash-stack approach. Some enormous files
could archive to a few bytes (e.g. 5G of zeros) and blow up when
extracted, especially if the file system can't create such large files

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"