funsec mailing list archives
Re: Overloading AV software, was Question about Viruses
From: Drsolly <drsollyp () drsolly com>
Date: Fri, 7 Jul 2006 22:08:39 +0100 (BST)
On Fri, 7 Jul 2006, Dude VanWinkle wrote:
On 7/7/06, Drsolly <drsollyp () drsolly com> wrote:I guess thats why the eicar site says: ------------------------- The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses only upper case letters, digits and punctuation marks, and does not include spaces. ------------------------- Pretty specific. This seems kind of silly to me, as any variation of code before the detection bit would result in the detection bit being in a different location, and therefore result in the virus not being detected, correct?Correct. That's the way that the Eicar test file is *supposed* to be. By the way, please don't call the Eicar test file a virus,I was actually referring to the code of a virus, not the eicar test file.
OK, but it looked to me like you were talking about eh Eicar file. If the virus is no longer in the chain of execution then A) it's non-operational and B) the AV wouldn't say that it was.
I never noticed such a war - maybe the marketroids did that. Certainly, Findvirus, when you run it, tells you how many things it's scanning for. That seemed like something people would like to know. But I notice that the figure is up to 200,000 now.well, I just ran a script to insert a newline character into all the source code for viruses I downloaded from http://www.totallygeek.com/vscdb/ so the number is now more like 400,000 :-) -JP<who single-handledly doubled all known viruses in one day>
No, it's still 200,000 :-) Because the newline in the source will produce no change in the executable when you compile it. Were you one of the people who said that you weren't a programmer? _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Overloading AV software, was Question about Viruses, (continued)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Dude VanWinkle (Jul 08)
- Re: Re: Question about Viruses Peter Kosinar (Jul 08)
- Re: Re: Question about Viruses Drsolly (Jul 08)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- RE: Overloading AV software, was Question about Viruses Peter Kosinar (Jul 07)
- Re: Overloading AV software, was Question about Viruses Valdis . Kletnieks (Jul 07)
- RE: Overloading AV software, try #2 Richard M. Smith (Jul 07)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
- RE: Overloading AV software, try #2 Richard M. Smith (Jul 07)
- Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
- RE: Overloading AV software, try #2 Drsolly (Jul 07)
- Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
- Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)