Re: [Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile
From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 09/17/03
- Previous message: Richard Johnson: "[Full-Disclosure] Re: openssh remote exploit"
- In reply to: auto9115_at_hushmail.com: "[Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile"
- Next in thread: Jason Sloderbeck: "RE: [Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: auto9115@hushmail.com Date: Wed, 17 Sep 2003 19:39:57 +0400
Dear auto9115@hushmail.com,
--Tuesday, September 16, 2003, 11:59:22 PM, you wrote to full-disclosure@lists.netsys.com:
ahc> Like any antivirus scanner, Symantec detects the Eicar test virus
ahc> (eicar.exe or eicar.txt). At least, at first glance it appears to
ahc> detect it. However, you can easily defeat this by adding a few
ahc> bytes of random text before or after the Eicar string. For example,
ahc> if you use a hex/text editor
Probably you misunderstand what antiviral signature is. It's not some
virus substring. Than researching virus, antiviral vendor makes an
algorithm to catch virus behavior. If this virus is mutating, all
_possible_ mutations must be catched by signature. The problem is, EICAR
with 'few random bytes' is not possible mutation for EICAR, so catching
it is not required for antiviral product :). And even more: catching
changed EICAR string is invalid behaviour. In this case, you will not be
able to read EICAR string on the web page or read it in e-mail message,
as it was suggested by EICAR developers, because your antivirus will
incorrectly think message or page is infected.
-- ~/ZARAZA Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Richard Johnson: "[Full-Disclosure] Re: openssh remote exploit"
- In reply to: auto9115_at_hushmail.com: "[Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile"
- Next in thread: Jason Sloderbeck: "RE: [Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
