Re: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile

[3APA3A <3APA3A () security nnov ru>]

Dear auto9115 () hushmail com,

--Tuesday, September 16, 2003, 11:59:22 PM, you wrote to full-disclosure () lists netsys com:

ahc> Like  any  antivirus scanner, Symantec detects the Eicar test virus
ahc> (eicar.exe  or  eicar.txt). At least, at first glance it appears to
ahc> detect  it.  However,  you  can  easily defeat this by adding a few
ahc> bytes of random text before or after the Eicar string. For example,
ahc> if you use a hex/text editor

Probably  you  misunderstand  what antiviral signature is. It's not some
virus  substring.  Than  researching  virus,  antiviral  vendor makes an
algorithm  to  catch  virus  behavior.  If  this  virus is mutating, all
_possible_ mutations must be catched by signature. The problem is, EICAR
with  'few random bytes' is not possible mutation for EICAR, so catching
it  is  not  required  for antiviral product :). And even more: catching
changed EICAR string is invalid behaviour. In this case, you will not be
able  to read EICAR string on the web page or read it in e-mail message,
as  it  was  suggested  by EICAR developers, because your antivirus will
incorrectly think message or page is infected.

-- 
~/ZARAZA
Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html