RE: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability.

[bipin gautam <visitbipin () yahoo com>]

> While it might be a vulnerability if the file is
> extracted which it hasto be to be executed the 
> desktop scanner will detect it at that time. 
> Multiple layers of defense is your best option 
> As far as number 3 Antigen detects Eicar.

YAP, i never reported Antigen vulnerable to the 3'rd
one.

Though, In Local file header if you modify "general
purpose bit flag" 7th & 8'th byte of a zip archive
with \x2f Antigen is also seem to be vulnerable! While
most unzip utilities are transperently able to extract
SUCH* archive without any problem! Though,currently my
only source of verifying this is via
www.virustotal.com and some others. [Go, TRY IT
THEER!]
http://www.geocities.com/visitbipin/gpbf.zip


> I can see if there is anything
> else that you do not
> think Antigen is doing correctly.

 (O;

For instant,
In the 'local file header" & "data descriptor" if you
change the  compressed size and uncompressed size to
ZERO[iDEFENSE] or greater than the actual file size or
less than the actual file size still there are many AV
that can't scan the file properly. 
http://www.geocities.com/visitbipin/Antigen_b.zip
http://www.geocities.com/visitbipin/Antigen_s.zip

Moreover there are unzip utilities that goes to a loop
if the filesize is changed to ffffffff ! Lets hope, AV
don't have such faulty code!

Just run the file through www.virustotal.com and
you'll see. (I know, they aren't using up-to-date scan
engine)

Thanks,
bipin





                
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/