funsec mailing list archives

Re: Overloading AV software, was Question about Viruses

From: Drsolly <drsollyp () drsolly com>
Date: Fri, 7 Jul 2006 22:08:39 +0100 (BST)

On Fri, 7 Jul 2006, Dude VanWinkle wrote:

On 7/7/06, Drsolly <drsollyp () drsolly com> wrote:

I guess thats why the eicar site says:
-------------------------
The first 68 characters is the known string. It may be optionally
appended by any combination of whitespace characters with the total
file length not exceeding 128 characters. The only whitespace
characters allowed are the space character, tab, LF, CR, CTRL-Z. To
keep things simple the file uses only upper case letters, digits and
punctuation marks, and does not include spaces.

-------------------------

Pretty specific. This seems kind of silly to me, as any variation of
code before the detection bit would result in the detection bit being
in a different location, and therefore result in the virus not being
detected, correct?


Correct. That's the way that the Eicar test file is *supposed* to be. By
the way, please don't call the Eicar test file a virus,


I was actually referring to the code of a virus, not the eicar test file.


OK, but it looked to me like you were talking about eh Eicar file.

If the virus is no longer in the chain of execution then A) it's 
non-operational and B) the AV wouldn't say that it was.

I never noticed such a war - maybe the marketroids did that. Certainly,
Findvirus, when you run it, tells you how many things it's scanning for.
That seemed like something people would like to know. But I notice that
the figure is up to 200,000 now.


well, I just ran a script to insert a newline character into all the
source code for viruses I downloaded from
http://www.totallygeek.com/vscdb/ so the number is now more like
400,000 :-)

-JP<who single-handledly doubled all known viruses in one day>

 
No, it's still 200,000 :-)

Because the newline in the source will produce no change in the executable 
when you compile it. Were you one of the people who said that you weren't 
a programmer?

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Overloading AV software, was Question about Viruses, (continued)
- - - Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
    - Re: Question about Viruses Peter Kosinar (Jul 07)
    - Re: Re: Question about Viruses Drsolly (Jul 07)
    - Re: Re: Question about Viruses Peter Kosinar (Jul 07)
    - Re: Re: Question about Viruses Valdis . Kletnieks (Jul 07)
    - Re: Re: Question about Viruses Peter Kosinar (Jul 07)
    - Re: Re: Question about Viruses Drsolly (Jul 07)
    - Re: Re: Question about Viruses Dude VanWinkle (Jul 08)
    - Re: Re: Question about Viruses Peter Kosinar (Jul 08)
    - Re: Re: Question about Viruses Drsolly (Jul 08)
    - Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
    - Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
    - RE: Overloading AV software, was Question about Viruses Peter Kosinar (Jul 07)
    - Re: Overloading AV software, was Question about Viruses Valdis . Kletnieks (Jul 07)
    - RE: Overloading AV software, try #2 Richard M. Smith (Jul 07)
    - Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
    - RE: Overloading AV software, try #2 Richard M. Smith (Jul 07)
    - Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)
    - RE: Overloading AV software, try #2 Drsolly (Jul 07)
    - Re: Overloading AV software, try #2 Valdis . Kletnieks (Jul 07)
    - Re: Overloading AV software, try #2 Dude VanWinkle (Jul 07)

(Thread continues...)