Bugtraq mailing list archives
Re: Bypass Virus Checking
From: harley () ICRF ICNET UK (David Harley)
Date: Fri, 4 Feb 2000 07:58:19 +0000
response. Oh, and in case you're wondering, there was only a difference of one byte between our copies of EICAR.COM. Mine terminated in an <LF>, Ed's in a <CR><LF>.
That can be significant. There've been quite a few differences in implementation in detection of the EICAR test file over the years, and it's been known for a product to fail precisely because of the length of the file. Other anomalies have included a surprising degree of pattern-matching fuzziness, and undue flexibility about positioning. The spec. requires the EICAR string to be right at the beginning of the file, but doesn't specify whether anything can follow it. There was even an instance a few years back of a scanner which alerted on an informatory text file containing the EICAR string somewhere in the middle. Hopefully, all current scanners handle the EICAR string 'correctly'. But I wouldn't bet the family jewels on it. You're right, by the way: there is anti-virus software which only scans a file for known viruses if integrity checking flags a change. -- David Harley <D.Harley () icrf icnet uk> <harley () sherpasoft org uk> | <D_Harley () iname com> <http://www.sherpasoft.org.uk/> .sig under re-construction.....
Current thread:
- Re: Bypass Virus Checking, (continued)
- Re: Bypass Virus Checking minus (Feb 03)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
- Re: Bypass Virus Checking Uwe Schurig (Feb 02)
- Re: Bypass Virus Checking Neil Bortnak (Feb 02)
- Re: Bypass Virus Checking Nick FitzGerald (Feb 03)
- Re: Bypass Virus Checking Winkelmann, Brian (Feb 02)
- Re: Bypass Virus Checking Kuo, Jimmy (Feb 02)
- Re: Bypass Virus Checking Eric D. Williams (Feb 03)
- Zeus Web Server: Null Terminated Strings Julian Midgley (Feb 08)
- Re: Bypass Virus Checking Paul L Schmehl (Feb 08)
- Re: Bypass Virus Checking David Harley (Feb 03)
- Re: Bypass Virus Checking Max Vision (Feb 04)