请教这个是病毒吗？

白雲山民

GMAIL为何过滤不了？

LightYear

文件后缀是pdf估计不会被过滤吧，一般.exe都会。。感觉不像病毒，不过如果邮件地址来源并不熟悉也没必要下载下来看。

白雲山民

LightYear 发表于 2016-9-19 20:11
文件后缀是pdf估计不会被过滤吧，一般.exe都会。。感觉不像病毒，不过如果邮件地址来源并不熟悉也没必要下 ...

不认识发信者，

虎

LightYear 发表于 2016-9-19 20:11
文件后缀是pdf估计不会被过滤吧，一般.exe都会。。感觉不像病毒，不过如果邮件地址来源并不熟悉也没必要下 ...

PDF can be as dangerous as EXE files, depending on the vulnerability it's targeting.

Don't even download the pdf file - if it's targeting anti virus software, simply downloading it can trigger code execution.

Best to just delete. If you're really curious, download in a Linux VM then upload to virustotal.com for a check up.

Leetecit

pdf文件不会被过滤的，GMAIL也从没过滤。只要你的Windows和pdf handler保持更新，风险可以忽略。

虎

Leetecit 发表于 2016-9-19 21:28
pdf文件不会被过滤的，GMAIL也从没过滤。只要你的Windows和pdf handler保持更新，风险可以忽略。 ...

OK I'll give you an example:

https://bugs.chromium.org/p/project-zero/issues/detail?id=820

"This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it."

Many, many applications will install filter drivers to your Windows box. If a major anti virus vendor can have vulnerabilities of this kind, imagine the rest.

coolmate

虎 发表于 2016-9-20 10:29
OK I'll give you an example:

https://bugs.chromium.org/p/project-zero/issues/detail?id=820

看上去确实如此，一个道理很简单却有效的攻击手段。不过不明白的是为啥会触发Norton去call SizeofImage？这里面有image么？

虎

image can mean many things, like when you "image a disk". Here it probably means a copy of the file attachment.

Leetecit

虎 发表于 2016-9-20 10:29
OK I'll give you an example:

https://bugs.chromium.org/p/project-zero/issues/detail?id=820

如果你要说防0-days vulnerability的话，html 邮件, photo, document files等等都得防，对于个人和小公司的资源而言，现实可行么？只要不是有目标的攻击，现实中只要保持更新的我还没发现过问题。我就不知道firewall server 如果有sandbox功能的能有多大的区别。

coolmate

虎 发表于 2016-9-20 11:02
image can mean many things, like when you "image a disk". Here it probably means a copy of the file  ...

OK。明白了，只是个他们自己的函数名称而已。不是通用库函数。

虎

Leetecit 发表于 2016-9-20 11:56
如果你要说防0-days vulnerability的话，html 邮件, photo, document files等等都得防，对于个人和小公司 ...

For personal users there are still things they can do - use Chromebook instead of Windows; use 2 factor auth for sensitive websites, etc. These will minimize the risk.

Personal experience is no substitute to large scale statistics. At personal level, lots of events are either 0% or 100% - they happened to you, or not. PDF is a very popular entry point for phishing, because the file format itself has security problems, and then there are billions of people who never update their Acrobat Reader. So even if you don't have any 0-day handy, an 1 yr old security holes of PDF/AR is still exploitable.

huazhb

虎 发表于 2016-9-20 13:31
For personal users there are still things they can do - use Chromebook instead of Windows; use 2 f ...

专业人员啊， 但是这种事情怎么防止呢？