RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile

["Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> auto9115 () hushmail com
> Sent: Wednesday, 17 September 2003 7:59 a.m.
> To: full-disclosure () lists netsys com
> Subject: [Full-disclosure] Exploiting Multiple Flaws in 
> Symantec Antivirus 2004 for Windows Mobile
>
> or eicar.txt). At least, at first glance it appears to detect it. However,
>  you can easily defeat this by adding a few bytes of random text before
> or after the Eicar string.  For example, if you use a hex/text editor
> to add a few random bytes of text before and after the string, then
Symantec
> won't detect it!  However, other AVs easily detect it, as they should.
> An AV scanner should be able to detect a byte stream anywhere in the
> file, but Symantec is easily bypassed with this rudimentary trick.

Sigh, this was discussed before, search Bugtraq archives.

If you add a few random bytes of text before or after the string, IT'S NOT
EICAR anymore.
Not discussing about other things, Symantec's behaviour is correct here, and
other AV programs are wrong (if they detect EICAR after you change those
bytes).

Regards,

Bojan Zdrnja

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html