Re: PenTesting Email AntiVirus

From: Volker Tanger (
Date: 05/17/02

Date: Fri, 17 May 2002 09:59:06 +0200
From: Volker Tanger <>
To: Ilici Ramirez <>


Ilici Ramirez wrote:
> What ways do you know to pen-test email antivirus
> software?
> A cool one that has been published before is to zip a
> very large file that contains the same character. The
> result, a very small file attached to an email could
> deplete resources on the antivirus server. Do you know
> any AV exploitable with this?

That usually "only" fills up the hard disc - which is a simple DoS
attack (in contrast to penentration) and not further exploitable.
A known pre-packaged is the monster, containing only "0.dll", 4GB
  of zeros each: 16 libs with 16 books of 16 chapters of 16 docs with 16
pages = 16^5 files of 4GB each = 4 PetaByte

Trend InterScan VirusWall was vulnerable but now this attack only blocks
one (forked-off) child process for the duration of the scan. Files
within the archive are extracted one-by-one (instead of extracting all
ad then scanning all the lot), a full hard disc fails graciously (and
the scanning restarted). It is recommendable to have the scan partition
separate from the system temp partition, though (just to be safe).

IIRC CT's Mailsweeper fails this test, merrily crashing after filling
the hard disc.

I have not DoS-tested other products yet.



------------------------------------------------------------------- discon GmbH IT-Security Consulting Wrangelstrasse 100 10997 Berlin, Germany ------------------------------------------------------------------- PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74 b94c c68e

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: