From: "p.mc" <nothanks.ok>

| Hi there
|
| I've just used the "multi av" scanner on my PC and run all the vendors with
| the exception of Sophos reporting *14 viruses "Mal/Packer" which all happen
| to be keygens for one thing or another. I'm pretty sure these were all false
| positives although They were automatically deleted.
|
| (Copied and pasted from David H. Lipman a googled post)
| "MAL/packer is Sophos' heuristic detection of Trojans using new compression
| agents known to
| be used by malware. Sophos will use this Heuristic detection until the
| Trojan is fully
| identified and a signature is created."
| So does this mean all keygens will give this response under Sophos?
|
| Also reported was 9 "Appears to be" zip bombs....(3) ".part" files (3)
| ".iso" (1) ".rar" (1) ".bin" and (1) ".avi" From my understanding zip bombs
| are made for disruption for AV Prog's and don't run any code or damage your
| machine is that right?
| I must determine whether or not these are false positives too, I understand
| extensions can be renamed to fool AV Progs, but I ran the .avi file, which
| indeed was a film so I'm sure that's a false positive, but for the rest how
| does one determine whether these are what Sophos reports as "Appears to be"
| zip bombs?
|
| http://en.wikipedia.org/wiki/Zip_bomb
|
| http://www.sophos.com/security/analyses/malpacker.html
|
| --
|


Using the Sophos module it may declare a large ciompressed file such as a; ISO file, Ghost
file or PST as a "Zip Bomb", This is most likely a False detection.

Yep. that was a good quote and I affirm the quote on Sophos' gheuristic detection.
Keygenerators are malware.

I would say the "Zip Bomb" dection are mostly false. The Mal/packer detections may be
righteous detections.

Sophos now has a switch to disable the detection of "Zip Bombs" I al strongly considering
implementing it.