Antivirus/Trojan/Spyware scanners DoS [summary]

From: Bipin Gautam (visitbipin_at_hotmail.com)
Date: 06/14/04

  • Next message: Lee Sheng: "Acrobat Reader overhead"
    Date: 14 Jun 2004 00:33:49 -0000
    To: vuln-dev@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    > Hello everybody,
    >
    > I wounder how many Antivirus/Trojan/Spyware scanners
    > will choak while having a manual scan of
    > the
    > file:
    >
    > http://www.geocities.com/visitbipin/SERVER_dwn.zip
    >
    > I was woundering, what would be the results if such
    > file gets stucked in an "AV gateway" (O;
    >
    >
    > regards,
    > Bipin Gautam
    >
    > http://www.geocities.com/visitbipin/

    These are the recent findings, Please participate in
    the discussion.

    * KAV successfully passes the test! [Confirmed]

    Well I find, both norton antivirus 2002 & norton 2003
    first try to extract the zip file..... [note: each ~.*
    is a compressed 12 GB file] fo it will [.....you
    guessed it..... DoS] Norton Antivirustakes
    considerable amount of time to scan .cab files.

    I tried.......
    http://www.ravantivirus.com/scan/indexn.php
    It took for ever.... [I stopped or i might have
    crassed the server]

    I've tried to scan those .bz2 files with Mcafee, it
    does choak for a while but it went through.

    If you have Autometically 'quarentine/delete' option
    set for your AV scanner and it detects a virus "ercata
    test virus" inside the rar file. The AV will suffer a
    DoS while extracting the .rar files.

    -> Has any one tried it for trojan/spyware scanners
    that scan inside compressed files???

     
    -----------------------------
    * Winxp default zip manager just report the 12Gb zip
    file to be 121 Mb!???
    * Winrar [3.20] can show the size of .bz2 files and
    winrar just report bipin.zip is 128 Mb but it start
    filling up the hdd. to 12 Gb if you try to extract the
    file.
    *If we try to extract the 12 Gb [Standalone] file in
    Fat32 tries to extract the 12 Gb file and terminate
    extraction after 4Gb [fat32 limit] I wounder, why in
    the 1'st place would Winrar allow to extract a 4+ Gb
    [single] file in Fat 32.
    ------------------------------

    Regards,
    Bipin Gautam

    Ps: Please, reply with the version No. of the AV.
    scanner that you are using. If anyone of you have a
    test PC please test the file using the online virus
    scanners available at : http://virusall.com/downscan.html

    _________________________________________________________
    These are the coments from [Full-disclosure] community...
    _________________________________________________________

    ----------------------------
    ClamAV quarantines it, although it did take a few seconds to return:

    $ clamscan -V
    clamscan / ClamAV version 0.72
    $ clamscan SERVER_dwn.zip
    SERVER_dwn.zip: Oversized.Zip FOUND

    ----------- SCAN SUMMARY -----------
    Known viruses: 21920
    Scanned directories: 0
    Scanned files: 1
    Infected files: 1
    Data scanned: 20.13 MB
    I/O buffer size: 131072 bytes
    Time: 3.004 sec (0 m 3 s)

    -Eric
    -----------------------------
    F-Prot 4.4.2 for Linux.

    Looks like deadlocked. :(
    -----------------------------
    Grisoft AVG 6.0 Free Edition v6.0.75

    No problem manually scanning file, took about a second in total.

    Ben C
    -----------------------------
    Groupshield says it was replaced because of a Scanner Timed Out Virus.
    -----------------------------
    I have tried it with Norton AntiVirus 2003 on a PIII 550/256 MB RAM
    machine. It
    took it 8 minutes to scan 42 files before I aborted it.
    -----------------------------


  • Next message: Lee Sheng: "Acrobat Reader overhead"

    Relevant Pages

    • Antivirus/Trojan/Spyware scanners DoS [summary]
      ... > I was woundering, what would be the results if such ... first try to extract the zip file..... ... test virus" inside the rar file. ... scanner that you are using. ...
      (Bugtraq)
    • Re: Novarg
      ... but our scanner does extract the contents of ... the extracted contents are all virus ... In reference to Jim's comment about password protected zips, ... Any files blocked by our scanner due to the attachment policy or AV ...
      (Incidents)
    • Re: Ping Malke
      ... >> Command Line Scanner and the Sophos Command Line Scanner all in one ... >> After tou execute and extract the files, look at the PDF help file. ... > up clients' machines all day.* I'll fire up a Windows machine first ...
      (microsoft.public.security.virus)
    • [Full-Disclosure] Antivirus/Trojan/Spyware scanners DoS!
      ... > I was woundering, what would be the results if such ... first try to extract the zip file..... ... does choak for a while but it went through. ... scanner that you are using. ...
      (Full-Disclosure)
    • Re: Ping Malke
      ... > Command Line Scanner and the Sophos Command Line Scanner all in one ... > After tou execute and extract the files, look at the PDF help file. ... up clients' machines all day.* I'll fire up a Windows machine first ...
      (microsoft.public.security.virus)