|
Home > Archive > IIS Index Server > February 2004 > Can Filters Activate a Virus?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Can Filters Activate a Virus?
|
|
| Jeff Ballance 2004-02-10, 9:36 am |
| If I receive a file that contains a new virus that my
virus protection doesn't detect, will the operation of
indexing the file through a filter activate the virus?
For example, if an html, .doc, or .xls file contains a
virus script, does the filter run the script and in doing
so possibly activate a virus? I am wondering if I should
hold files for a period of time before indexing them to
better protected by my virus software.
Thank you,
Jeff Ballance
| |
| George Cheng [MSFT] 2004-02-10, 9:36 am |
| Filters don't execute files. You should have your files scanned prior to
them being put on the index server.
Thank You
George Cheng
Microsoft Application Center & Index Server Support
Note: This article has no warranties implicit or explicit.
All the content is given on the "as is" basis and the user
takes full responsibility for its use and assumption.
Microsoft Corporation Copyright 2004
All Rights Reserved
--------------------
| Content-Class: urn:content-classes:message
| From: "Jeff Ballance" <anonymous@discussions.microsoft.com>
| Sender: "Jeff Ballance" <anonymous@discussions.microsoft.com>
| Subject: Can Filters Activate a Virus?
| Date: Tue, 10 Feb 2004 14:40:09 -0800
| Lines: 11
| Message-ID: <05b101c3f026$d6689ef0$3a01280a@phx.gbl>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200
| Thread-Index: AcPwJtZoOlZ8O7pIRmWnZxpwNEYkOg==
| Newsgroups: microsoft.public.inetserver.indexserver
| Path: cpmsftngxa07.phx.gbl
| Xref: cpmsftngxa07.phx.gbl microsoft.public.inetserver.indexserver:27536
| NNTP-Posting-Host: tk2msftngxa07.phx.gbl 10.40.1.58
| X-Tomcat-NG: microsoft.public.inetserver.indexserver
|
| If I receive a file that contains a new virus that my
| virus protection doesn't detect, will the operation of
| indexing the file through a filter activate the virus?
| For example, if an html, .doc, or .xls file contains a
| virus script, does the filter run the script and in doing
| so possibly activate a virus? I am wondering if I should
| hold files for a period of time before indexing them to
| better protected by my virus software.
|
| Thank you,
| Jeff Ballance
|
| |
| Jeff Ballance 2004-02-11, 9:37 am |
| I agree that the files should be scanned first and we do.
However, during the "unprotected time" between when a new
virus is released and when the virus protection software
is updated, some files can get through with the virus.
Depending on the way the files are handled later the virus
may be detected or remain dormant. My question was if in
the process of extracting the text from a file, such as a
Word document, does the filter need to execute any
embedded macros that may contain viruses? If so, then I
may need to quarantine files for some period before
letting them into my system.
Thanks for the response.
>-----Original Message-----
>Filters don't execute files. You should have your files
scanned prior to
>them being put on the index server.
>
>Thank You
>
>George Cheng
>
>Microsoft Application Center & Index Server Support
>
>Note: This article has no warranties implicit or explicit.
>All the content is given on the "as is" basis and the
user
>takes full responsibility for its use and assumption.
>Microsoft Corporation Copyright 2004
>All Rights Reserved
>
>--------------------
>| Content-Class: urn:content-classes:message
>| From: "Jeff Ballance"
<anonymous@discussions.microsoft.com>
>| Sender: "Jeff Ballance"
<anonymous@discussions.microsoft.com>
>| Subject: Can Filters Activate a Virus?
>| Date: Tue, 10 Feb 2004 14:40:09 -0800
>| Lines: 11
>| Message-ID: <05b101c3f026$d6689ef0$3a01280a@phx.gbl>
>| MIME-Version: 1.0
>| Content-Type: text/plain;
>| charset="iso-8859-1"
>| Content-Transfer-Encoding: 7bit
>| X-Newsreader: Microsoft CDO for Windows 2000
>| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200
>| Thread-Index: AcPwJtZoOlZ8O7pIRmWnZxpwNEYkOg==
>| Newsgroups: microsoft.public.inetserver.indexserver
>| Path: cpmsftngxa07.phx.gbl
>| Xref: cpmsftngxa07.phx.gbl
microsoft.public.inetserver.indexserver:27536
>| NNTP-Posting-Host: tk2msftngxa07.phx.gbl 10.40.1.58
>| X-Tomcat-NG: microsoft.public.inetserver.indexserver
>|
>| If I receive a file that contains a new virus that my
>| virus protection doesn't detect, will the operation of
>| indexing the file through a filter activate the virus?
>| For example, if an html, .doc, or .xls file contains a
>| virus script, does the filter run the script and in
doing
>| so possibly activate a virus? I am wondering if I
should
>| hold files for a period of time before indexing them to
>| better protected by my virus software.
>|
>| Thank you,
>| Jeff Ballance
>|
>
>.
>
| |
| Phillip Evans 2004-02-11, 12:35 pm |
| Hi Jeff.
Index server indexes using DLLs that implement the IFilter interface. It
doesn't require Word, Excel, etc. to be installed on the machine doing the
indexing. The IFilter implementations (should) read Office documents as
Compound file streams and not execute any code within the file itself. HTML
is basically text and the HTML IFilter implementation doesn't need to render
the document and won't execute any script tags. Anything that doesn't have
a custom IFilter will be indexed as text (if you allow indexing of unknown
types) and again, the host application is not required to perform that
indexing.
The worst case scenario might be if you index a document with a virus and
then your index server catalog is detected by your virus scanner as being
infected (dunno if that can actually happen)!
Regards,
Phil.
"Jeff Ballance" <anonymous@discussions.microsoft.com> wrote in message
news:ed4b01c3f0ec$f876f700$a401280a@phx.gbl...[color=blue]
> I agree that the files should be scanned first and we do.
> However, during the "unprotected time" between when a new
> virus is released and when the virus protection software
> is updated, some files can get through with the virus.
> Depending on the way the files are handled later the virus
> may be detected or remain dormant. My question was if in
> the process of extracting the text from a file, such as a
> Word document, does the filter need to execute any
> embedded macros that may contain viruses? If so, then I
> may need to quarantine files for some period before
> letting them into my system.
>
> Thanks for the response.
>
> scanned prior to
> user
> <anonymous@discussions.microsoft.com>
> <anonymous@discussions.microsoft.com>
> microsoft.public.inetserver.indexserver:27536
> doing
> should
| |
| Andrés Naranjo[MSFT] 2004-02-12, 7:36 am |
| It can't happen because the catalog is basically a list of words... code
tends to be words, numbers, complex function names, or incomplete words...
A lot of the code of a virus would be ignored as noise words... so this is
not something that seems feasable to me.
Does this answer your question? Thank you for using Microsoft Newsgroups!
Andrés Naranjo [MSFT]
Microsoft DS Communities Team
This posting is provided "AS IS" with no warranties, and confers no rights.
Please reply to newsgroups only.
| |
| Jeff Ballance 2004-02-12, 12:36 pm |
| Thank you for you comments. I was pretty sure that was=20
the case.=20
Jeff Ballance
>-----Original Message-----
>It can't happen because the catalog is basically a list=20
of words... code=20
>tends to be words, numbers, complex function names, or=20
incomplete words... =20
>A lot of the code of a virus would be ignored as noise=20
words... so this is=20
>not something that seems feasable to me.
>
>
>
>
>Does this answer your question? Thank you for using=20
Microsoft Newsgroups!=20
>=20
>Andr=E9s Naranjo [MSFT]
>Microsoft DS Communities Team
>
>This posting is provided "AS IS" with no warranties, and=20
confers no rights.=20
>Please reply to newsgroups only.
>
>.
>
|
|
|
|
|