Bugtraq mailing list archives
Re: Bypass Virus Checking
From: neil () BORTNAK COM (Neil Bortnak)
Date: Wed, 2 Feb 2000 10:27:49 -0800
Hi everyone, I have received many reports from people telling me if they were vulnerable or not. Here's what I have so far: Vulnerable: Virus Scan 4050 Defs: 4062 NAV 5.01.01c Defs: 012400 NAV Version lost NAV Version lost NAV2k 2000.00.02 Defs: 12400 Not Vulnerable: NAV 5.00.01c 012400 (Win 98) NAV 5.0 011500 (NT4) NAV 4.x (NT4) NAV 5.02.04 Defs: 012400 (Win95) VET 10.1.7.1 F-Secure AVW 4.05 F-PROT: 3.04.825 Defs: 12/19/99 AVP Undisclosed version What I'm inferring from this is that Virus Scan is vulnerable all the time, NAV once in a while and no one else is really affected. Why NAV is only affected sometimes may have been answered by a Edward Salm from IBM's Emergency Virus Response Service. He said, "The reason I mentioned the other eicar.com is I noticed NAV on my test machine wouldn't detect your version of eicar.com unless bloodhound was activated! When I turned bloodhound heuristics off (even though autoprotect was sill running), I could put your eicar.com anywhere on the drive!" Doesn't that give you a good pointer. Bloodhound seems pretty important. It's also possible that bloodhound ignores the default exclusions. I have a contact at SARC whom I'll ask about this and let you all know the response. Oh, and in case you're wondering, there was only a difference of one byte between our copies of EICAR.COM. Mine terminated in an <LF>, Ed's in a <CR><LF>. Here's an idea. The statement by McAfee that they can't go looking for XORed files because it's not feasible got me thinking. It seems to me that it's not feasible because it would take too long. People would be annoyed at 2 second waits for their files to open and whatnot. Now, I'm no AV expert and some even may work like this, but here's what I came up with. An AV checker could do a real hard look at a file, doing whatever it needed to be really thorough with the file (I understand that breaking XOR programmatically is pretty straight forward). It would then the store an MD5 hash for that file in an index. Whenever it needed to scan a file, it would just compare hashes (which is quick), and only re-scan the files if they had been changed. Special handling would probably be needed for data files as they get changed all the time, but overall it seems reasonable to me. I'd also think that AV scanners could do more advanced scans in the background with CPU idle cycles. There are a LOT of spare cycles on the average desktop. Thanks for the great responses everyone, Neil Bortnak InfoSec & Linux Consulting www.bortnak.com P.S. Avoid sending attachments to the list. You get tons of bounce mail and your message won't show up properly (at all) in the archive.
Current thread:
- Re: recent 'cross site scripting' CERT advisory, (continued)
- Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Henri Torgemane (Feb 08)
- Re: 'cross site scripting' defenses flynngn () JMU EDU (Feb 06)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Feb 04)
- Sprint PCS vulnerable to malicious tags Paul Schreiber (Feb 04)
- Re: Bypass Virus Checking minus (Feb 03)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
- Re: Bypass Virus Checking Uwe Schurig (Feb 02)
- Re: Bypass Virus Checking Neil Bortnak (Feb 02)
- Re: Bypass Virus Checking Nick FitzGerald (Feb 03)
- Re: Bypass Virus Checking Winkelmann, Brian (Feb 02)
- Re: Bypass Virus Checking Kuo, Jimmy (Feb 02)
- Re: Bypass Virus Checking Eric D. Williams (Feb 03)
- Zeus Web Server: Null Terminated Strings Julian Midgley (Feb 08)
- Re: Bypass Virus Checking Paul L Schmehl (Feb 08)
- Re: Bypass Virus Checking David Harley (Feb 03)
- Re: Bypass Virus Checking Max Vision (Feb 04)