Half June a thread ran in Secfocus' Vuln-dev mailinglist on dossing AV/Mail products.
The problem is how it handles multiple compressed & nested archives and how resource limiting on the OS (or not) affects performance. The file is
http://www.hanau.net/fgk/downloads/42.zip, which is 42K, containing nested zip's and at the end a 4GB file (6 levels deep,each level 17 wide).
Testing it on W2K with AVP the box just wouldnt react no more to user input.
On Linux with Mcafee's Uvscan or RAV it goes to 100% CPU but churns out reporting as it goes along, handling sluggish, but progressing anyway.
(750-SMP-265RAM)
Now u say "how does this affect me?" Well, if ure serving mail for a windoze community, letting this tiny zip tru will have a great impact if they got personal AV coverage. Also it's not hard to come up with a zip hierarchy in which u just embed the signatures for, say the last 10 ITW viruses, so the reporting fills up the disks ...or compress a 1Gb file filled with zeroes and see the scanner hog memory like theres no tomorrow.
Reported b0rken are Sophos, MAIL/MIMESweeper, AVP, F-Secure and TrendMicro InterScan VirusWall.
*If anyone tests this file against their AV products & post some results, TIA.