Re: Bypass Virus Checking

[mb () SIME COM (Martin Bene)]

-----BEGIN PGP SIGNED MESSAGE-----

At 18:09 31.01.00 -0800, Max Vision wrote:
> ANOTHER BUG: Note that this exclude.dat was originally the default
shipped
> with NAV 2000, and excludes potential trouble filenames such as
excel.exe,
> winword.exe, and powerpnt.exe.  That might not be the best idea, as
when I
> rename BackOrifice2000 to any of those filenames, it is completely
> ignored.  *sigh*  (I just uploaded a version without those as well:
> http://maxvision.net/nav/better.dat)

Strange that Symantec managed to make their product so much worse
during upgrades; I'm running Engine 5.00.01b, Viruse files 14.01.2000;
results are significantly better:

1) There is no exclusion for \RECYCLED directory, neither hidden nor
in the GUI. Exploit does not work, virus is detected.

2) The Excludes for EXCEL.EXE, WINWORD.EXE, POWERPNT.EXE and
MSACCESS.EXE only turn off the check for writes to program files.
Renaming the EICON.COM file from the exploit to excel.exe does not
prevent NAV from finding it.

3) All Exclusions are visible using the GUI Interface.

Martin Bene

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQCVAwUBOJfgfR+NBGYktXFhAQHBIAQAiUJ74XIgYpO+EpJbZwNV4EZsx4MZIMmi
2UMB9IIgp+nrkq1zzQUkCY6bs4LNRdb6Qz8/O4zb/ZJzdKsv1Uk53TG481xfTA0F
Z9jc/kgBhNEa6iTFoGsh3nstYazHddAC/Abl3Ch0/b6J99wghBhOC5EkgkJ1/epU
KWjHlHCDUUU=
=nGN2
-----END PGP SIGNATURE-----

"you have moved your mouse, please reboot to make this change take effect"
--------------------------------------------------
 Martin Bene               vox: +43-316-813824
 simon media               fax: +43-316-813824-6
 Andreas-Hofer-Platz 9     e-mail: mb () sime com
 8010 Graz, Austria
--------------------------------------------------
finger mb () mail sime com for PGP public key