Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
From: bipin gautam <visitbipin () yahoo com>
Date: Tue, 5 Oct 2004 20:02:46 -0700 (PDT)
hi iDEFENSE, What a coincidence, This is what i was talking about with few others in the list... a day back!!! I myself saw this behavoir...... (i was a few days short) hay guys you were telling me, "Antiviral vendors aware about this problem, it was discussed in past." so??? iDEFENSE took away my upcomming advisort. )O; 3APA3A, do you work for iDEFENSE??????? ANYWAYS, this isn't a first time a advisory has coinside with other........ cheese, bipin --- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:
Dear bipin gautam, Actually my super antivirus easily detects eicar in nul.con. For example, for c:\NUL.CON\eicar.com try antieicar \\.\c:\NUL.CON\eicar.com Antiviral vendors aware about this problem, it was discussed in past. --Saturday, October 2, 2004, 9:57:52 PM, you wrote to full-disclosure () lists netsys com:OK. I just wrote new super antivirus. It's databases currently consist from only eicar.com signature (I'm very newinthis business) but it 100% detects EICAR in the file with removed permissions :) http://www.security.nnov.ru/files/antieicar.zipNow, there is at least one antivirus to breakyourstatement :)bg> good example 3APA3A to teach those software companies bg> howto, bg> anyways... here is a archive, bg> http://www.geocities.com/visitbipin/antiPOC.zip bg> Extract the archive by using "DEFAULT ZIP MANAGER" of bg> windows xp. It will create a file "NULL.con" (O; bg> within which there is a "eicar test string file". bg> I don't think your super AV will detect the "eicar bg> test string file" withing "NULL.con" folder??? :) bg> anyways... let me know HOW? when you figure out to how bg> to delete "NULL.con" directory.
The problem specifically exists in attempts to scan files and directories named as reserved MS-DOS devices. Reserved MS-DOS device names are a hold over from the original days of Microsoft DOS. The reserved MS-DOS device names represent devices such as the first printer port (LPT1) and the first serial communication port (COM1). Sample reserved MS-DOS device names include AUX, CON, PRN, COM1 and LPT1. If a virus stores itself in a reserved device name it can avoid detection by Symantec Norton AntiVirus when the system is scanned. Symantec Norton AntiVirus will scan the files and folders containing the virus and fail to detect or report them. reserved device names can be creating with standard Windows utilities by specifying the full Universal Naming Convention (UNC) path. The following command will successfully copy a file to the reserved device name 'aux' on the C:\ drive: copy source \\.\C:\aux
_______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability idlabs-advisories (Oct 05)
- Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability bipin gautam (Oct 05)
- Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability 3APA3A (Oct 06)