Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-Id: <5.1.0.14.2.20020213223916.023958c8@pop3.cris.com>
X-Sender: rrschulz AT pop3 DOT cris DOT com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 13 Feb 2002 22:43:05 -0800
To: Bill Siegmund <ctc-dsl AT pacbell DOT net>, lee DOT 1801 AT osu DOT edu
From: Randall R Schulz <rrschulz AT cris DOT com>
Subject: Re: 2/13 PM NAV update [Correction]
Cc: cygwin AT cygwin DOT com
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed

Bill,

I noticed an error in my previous message.


>A better way to detect an alteration to a program is to use the "sum" 
>command to generate a checksum. As I mentioned in my first resonse to Hong 
>Xun, sum on my installed copy of the 1.3-6 cygz.dll yields this:

CORRECTION: I have the 1.3-7 (current) version installed, not the previous 
1.3-6 and this is the 1.3-7 version's checksum:

>% sum /bin/cygz.dll
>19649    50


For completeness, the rest of my original message, unchanged, follows...


>For the 1.3-6 version the result is:
>
>% sum cygz.dll
>04409    49
>
>
>I did another LiveUpdate of my NAV virus descriptions (getting 30 new 
>definitions, as you pointed out) and ran it on the 1.3-7 (latest) cygz.dll 
>and still got no "hit." However, the new descriptions do seem to detect 
>the "Backdoor Egghead" virus in the 1.3-6 version of cygz.dll.
>
>I am dubious that that DLL is really infected with a virus...Surely the 
>pattern detection of NAV is susceptible to false positives, no?
>
>There's another interesting thing here: Clicking the "Virus Info..." 
>button in the detection notification dialog displays a virus information 
>dialog that, among other things, says that the virus length is 0 (zero) 
>bytes. How dangerous could and empty "virus" be?
>
>Not that it matters, I'm not using that DLL and am unlikely to "downgrade" 
>to it.
>
>I'd be mildly interested in a full and complete explanation of what's 
>going on here, but I'm not going to lose any sleep over it or investigate 
>any further.
>
>Randall Schulz
>Mountain View, CA USA


At 22:03 2002-02-13, Bill Siegmund wrote:
>Hongxun & Randall,
>
>This morning my NAV was still current as of 2/7 and protecting me against 
>58723 viruses.
>
>'Round 4PM PST I got an update that made me current as of 2/13 and saw the 
>count of viruses jump by 30.
>
>And after that the two CYGZ.DLLs on my disks began to be flagged as 
>infected by the Backdoor Egghead virus.
>
>I deleted them and did a complete scan that turned up _no_ infected files.
>
>On running "setup",  I got a version of CYGZ.DLL that the current version 
>of NAV considers clean.
>
>For  the record it is dated 1/20/02 11:42a and contains 50,688 Bytes.
>
>Bill Siegmund
>Cal-Tex Computers, Inc.
>1080 Rebecca Dr.
>Boulder Creek, California 95006


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/