Full Disclosure mailing list archives
Re: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile
From: 3APA3A <3APA3A () security nnov ru>
Date: Wed, 17 Sep 2003 19:39:57 +0400
Dear auto9115 () hushmail com, --Tuesday, September 16, 2003, 11:59:22 PM, you wrote to full-disclosure () lists netsys com: ahc> Like any antivirus scanner, Symantec detects the Eicar test virus ahc> (eicar.exe or eicar.txt). At least, at first glance it appears to ahc> detect it. However, you can easily defeat this by adding a few ahc> bytes of random text before or after the Eicar string. For example, ahc> if you use a hex/text editor Probably you misunderstand what antiviral signature is. It's not some virus substring. Than researching virus, antiviral vendor makes an algorithm to catch virus behavior. If this virus is mutating, all _possible_ mutations must be catched by signature. The problem is, EICAR with 'few random bytes' is not possible mutation for EICAR, so catching it is not required for antiviral product :). And even more: catching changed EICAR string is invalid behaviour. In this case, you will not be able to read EICAR string on the web page or read it in e-mail message, as it was suggested by EICAR developers, because your antivirus will incorrectly think message or page is infected. -- ~/ZARAZA Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile auto9115 (Sep 16)
- RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Bojan Zdrnja (Sep 16)
- Re: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile 3APA3A (Sep 17)
- Re: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Sym Security (Sep 17)
- <Possible follow-ups>
- RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Matthew J. Brown (Sep 16)
- RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Jason Sloderbeck (Sep 17)