From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 14359 invoked by alias); 14 Feb 2002 06:33:21 -0000 Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Received: (qmail 14253 invoked from network); 14 Feb 2002 06:33:14 -0000 Received: from unknown (HELO darius.concentric.net) (207.155.198.79) by sources.redhat.com with SMTP; 14 Feb 2002 06:33:14 -0000 Received: from newman.concentric.net (newman.concentric.net [207.155.198.71]) by darius.concentric.net [Concentric SMTP Routing 1.0] id g1E6XDk08274 ; Thu, 14 Feb 2002 01:33:13 -0500 (EST) Errors-To: Received: from Clemens.cris.com (da003d2183.sjc-ca.osd.concentric.net [64.1.8.136]) by newman.concentric.net (8.9.1a) id BAA22073; Thu, 14 Feb 2002 01:33:07 -0500 (EST) Message-Id: <5.1.0.14.2.20020213221844.02371340@pop3.cris.com> X-Sender: rrschulz@pop3.cris.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 13 Feb 2002 22:33:00 -0000 To: Bill Siegmund , lee.1801@osu.edu From: Randall R Schulz Subject: Re: 2/13 PM NAV update Cc: cygwin@cygwin.com In-Reply-To: <000801c1b51d$4d428a50$0400a8c0@d815eeal> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-SW-Source: 2002-02/txt/msg00690.txt.bz2 Bill, A better way to detect an alteration to a program is to use the "sum" command to generate a checksum. As I mentioned in my first resonse to Hong Xun, sum on my installed copy of the 1.3-6 cygz.dll yields this: % sum /bin/cygz.dll 19649 50 For the 1.3-6 version the result is: % sum cygz.dll 04409 49 I did another LiveUpdate of my NAV virus descriptions (getting 30 new definitions, as you pointed out) and ran it on the 1.3-7 (latest) cygz.dll and still got no "hit." However, the new descriptions do seem to detect the "Backdoor Egghead" virus in the 1.3-6 version of cygz.dll. I am dubious that that DLL is really infected with a virus...Surely the pattern detection of NAV is susceptible to false positives, no? There's another interesting thing here: Clicking the "Virus Info..." button in the detection notification dialog displays a virus information dialog that, among other things, says that the virus length is 0 (zero) bytes. How dangerous could and empty "virus" be? Not that it matters, I'm not using that DLL and am unlikely to "downgrade" to it. I'd be mildly interested in a full and complete explanation of what's going on here, but I'm not going to lose any sleep over it or investigate any further. Randall Schulz Mountain View, CA USA At 22:03 2002-02-13, Bill Siegmund wrote: >Hongxun & Randall, > >This morning my NAV was still current as of 2/7 and protecting me against >58723 viruses. > >'Round 4PM PST I got an update that made me current as of 2/13 and saw the >count of viruses jump by 30. > >And after that the two CYGZ.DLLs on my disks began to be flagged as >infected by the Backdoor Egghead virus. > >I deleted them and did a complete scan that turned up _no_ infected files. > >On running "setup", I got a version of CYGZ.DLL that the current version >of NAV considers clean. > >For the record it is dated 1/20/02 11:42a and contains 50,688 Bytes. > >Bill Siegmund >Cal-Tex Computers, Inc. >1080 Rebecca Dr. >Boulder Creek, California 95006 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/