Bugtraq mailing list archives
Re: SECURITY.NNOV: special devices access in multiple archivers
From: Andreas Marx <amarx () gega-it de>
Date: Thu, 02 Aug 2001 11:11:44 +0200
Hello,we, the Anti-Virus Test Team at the University of Magdeburg, have looked at this issue about problematic filename like "AUX", "NUL" or ".." inside archives now on 39 security-related programs like anti-virus scanners (Norton, McAfee, CA, AntiVir, AVX, Kaspersky etc.) as well as anti-trojan programs (Ants, Anti-Trojan, Tauscan, etc.) To make it short: Most programs are not affected.
The first test includes file names like "NUL.EXE", "AUX.EXE", "LPT1.EXE" and "CLOCK$.EXE" in archive files (please note, that "NUL" and "NUL.EXE" have exactly the same behaviour, we just used "EXE" to make sure a scanner will really try to check this file in the archive). Archive types tested: ZIP and ARJ.
Result: Only *one* program *crashes* (it is a nearly unknown and not widely distributed anti-trojan scanner, vendor was notified about this issue) on both ARJ and ZIP archives, most other programs are still able to find the infected file (if they scan archives).
The second test includes file names like "../TEST.EXE" up to "../../../../../TEST.EXE" in ZIP archives. No program drops the TEST.EXE file somewhere on drive C:. All scanners who found the original (not packed) file were still able to find the virus in the malformed archive. Therefore, there is no "scanner drops possible infected files" (Bat/WinRip issue) anymore - all vendors have fixed possible problems at least one year ago. (We have tested older and newer versions of the programs on this issuse.)
Therefore, there is no risk of scanning such malformed archives using av programs. However, most current archivers (accoding to 3APA3A's report) still have a problem - and a lot other programs, too. We have verified this during out test if the archives are really malformed. ;-) - Some crashes on file like "NUL.EXE", other drops files from the ZIP archive to "somewhere" on the disc...
cheers, Andreasbtw, our newest anti-virus scanner test for both Lotus Notes 4/5 and MS Exchange 5.5/2000 Groupware is now available at http://www.av-test.org for download and as an online representation ("interactive" tables and bar plots).
-- Andreas Marx <amarx () gega-it de>, http://www.av-test.de GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469
Current thread:
- Re: SECURITY.NNOV: special devices access in multiple archivers Andreas Marx (Aug 02)
- Message not available
- Re: SECURITY.NNOV: special devices access in multiple archivers Andreas Marx (Aug 03)
- Re: SECURITY.NNOV: special devices access in multiple archivers Juergen P. Meier (Aug 05)
- Re: SECURITY.NNOV: special devices access in multiple archivers Andreas Marx (Aug 10)
- Re: SECURITY.NNOV: special devices access in multiple archivers Andreas Marx (Aug 03)
- Message not available