Full Disclosure mailing list archives

Re: Re: text

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 25 Mar 2004 20:51:24 +1200

Bennett Todd <bet () rahul net> felt compelled to burble:

If you want to really enjoy the pleasure of idiot false-positives
from weak virus-scanners, just use this as your .sig, or better yet
bodge it into a header:

      X5O!P%@AP[4\\PZX54(P^)7CC)7}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H+H*

I did that for a good while, turned up no false positives from folks
whose software was clueful, and I have to say surprisingly few in
any case.  ...


_Any_ would be most odd, for if you really used the precise above 
string, you were _not_ including the EICAR standard antivirus test 
string, but a C-quoted (?) version thereof.  Repeating the string you 
claim you used:

 X5O!P%@AP[4\\PZX54(P^)7CC)7}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H+H*

              ^^               ^^                                   ^^
              ||               ||                                   ||

The marks indicate places where a "\" is incorrectly present relative 
to the "real" EICAR standard antivirus test string.

 ...  False-positiving on sig-matches in normal text bodies is
just plain rare. He says. Now I'll probably be mowed down for this
post:-).


Well, if you are going to post something technical to a technical list 
and just get it plain wrong, you kinda gotta expect that...

P.S. In case anybody cares, the above cryptic voodoo is the EICAR
test pattern, presented as a distinct file it comes up positive in
all virus scanners.


In case anyone really cares about the above cryptic voodoo, the real 
version of the EICAR standard antivirus test string can be found at its 
own homepage on EICAR's web site:

   http://www.eicar.org/anti_virus_test_file.htm

(For the especially interested, and not described on the EICAR web 
page, this string is a valid DOS .COM program file and will execute if 
run on a suitable platform, displaying the obvious message.  It is an 
example of what is sometimes referred to as "executable ASCII", 
providing an interesting exercise to analyse how it works.)


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: text pauls (Mar 24)
- <Possible follow-ups>
- RE: Re: text Mark Challender (Mar 24)
  - Re: Re: text Valdis . Kletnieks (Mar 24)
    - Re: Re: text Paul Schmehl (Mar 24)
    - Re: Re: text morning_wood (Mar 24)
    - Re: Re: text Bennett Todd (Mar 24)
    - Re: Re: text Byron Copeland (Mar 24)
    - Message not available
    - Re: Re: text Bennett Todd (Mar 26)
    - RE: Re: text Aditya, ALD [Aditya Lalit Deshmukh] (Mar 27)
    - Re: Re: text Nick FitzGerald (Mar 25)
    - Re: Re: text Byron Copeland (Mar 24)