David said:
From: "Dubious Dude" <
[email protected]>
| I have around 5GB of disk space on my Windows 2000 laptop occupied
| by archives bundled up using the "tar" facility, and compressed
| with gzip. This is really slowing down a complete system scan.
| McAfee's antivirus lets the user specify what files to exclude
| from scanning. Is there much risk associated with doing this?
| What is the likelihood of some malware adding itself to a file
| within one of the archive files (each archive file is several
| hundred megabytes)? Most of the archive is data, though there are
| some unix shell scripts and possibly some binary executables. I
| unpack items from those archive files as needed (about once every
| 2-3 days).
It depends upon your computing practices and what being stored in
the archive files.
You might want to keep all the archive files in one folder and
exclude that folder from "On Demand" and "On Access" scanning.
What I'm considering is similar. Basically, exclude those files
from scanning.
Then when you manipulate a particular archive, copy it from the
source location to a non-excluded location. Extract and update the
files then move teh archive back into the excluded location. This
way you are scanning the archive that is being modified and updated
but don't scan all the archive folders when you access the excluded
folder.
The files are several hundred megabytes each, compressed. They don't
take kindly to being moved, though they can be coerced to do so. I
also don't trust windows enough to think that the cumulative
probability of corruption with numerous acts of copying will be be as
insignificant as I would like (I don't have hard numbers, just
experience with Windows).
Fortunately, though, I think I can avoid it even within your
suggestions. This is because these archives are truly archives, in
the sense that they will not be deliberately changed by myself in the
future. Material will only be retrieved from them. The only thing I
was guarding against is if there is a means by which they can be
tampered with in a harmful way.
For example, one such archive corresponds to my email. Sometimes, I
will extract mail folders and use my local mail reader to view mail.
I was wondering if there was malware that might append something
malicious to a mail message within the mail file within the archive.
I would then be viewing the once-harmless message, not realizing that
it has a destuctive attachment.
Of course, for this addition to be made to the message while the
mailbox was still within the archive would require some acrobatics,
since the archive is compressed. I'm not sure if malware is this
sophisticated these days. A simplistic approach would be to unpack
the archive behind the scenes, possibly on-the-fly, add the malicious
content wherever it needs to be put, thus creating a 2nd archive with
which the 1st one will be replaced. For the longest time, I simply
assumed that this was way too round-about to be practical, but it
probably doesn't hurt to actually inquire about it before excluding
many Gigabytes of content from scanning.
On the other hand, knowledge of the feasibility of infecting
compressed archives might not actually change my new to-be-defined
scanning practices, since scanning 5GB is simply takes too long. My
hard drive will die before too long at this rate.
I do have the archives burnt to CDRs, but I access their contents
frequently enough to make it worthwhile keeping copies on the hard
drive. As well, I don't want to subject the CDRs to too much handling
or use, since they are meant to preserve the content for as long as
possible. I've had 1 CDR go bad in 3 years; I don't burn that many
CDRs, so that represents a 5-10% failure rate after 3 years. The
CDR was one of the best I could find for reliability at the time,
Kodak's Ultima gold CDs.
Thanks for commenting.
