Full Disclosure mailing list archives

Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Sun, 3 Oct 2004 12:31:26 +0400

Dear bipin gautam,

Actually  my  super  antivirus  easily  detects  eicar  in  nul.con. For
example, for c:\NUL.CON\eicar.com

try

antieicar \\.\c:\NUL.CON\eicar.com

Antiviral vendors aware about this problem, it was discussed in past.

--Saturday, October 2, 2004, 9:57:52 PM, you wrote to full-disclosure () lists netsys com:

OK.  I  just wrote new super antivirus. It's
databases currently consist
from  only  eicar.com  signature  (I'm very new in
this business) but it
100% detects EICAR in the file with removed
permissions :)

http://www.security.nnov.ru/files/antieicar.zip

Now, there is at least one antivirus to break your
statement :)



bg> good example 3APA3A to teach those software companies
bg> howto, 

bg> anyways... here is a archive, 

bg> http://www.geocities.com/visitbipin/antiPOC.zip

bg> Extract the archive by using "DEFAULT ZIP MANAGER" of
bg> windows xp. It will create a file "NULL.con" (O;
bg> within which there is a "eicar test string file". 

bg> I don't think your super AV will detect the "eicar
bg> test string file" withing "NULL.con" folder??? :)

bg> anyways... let me know HOW? when you figure out to how
bg> to delete "NULL.con" directory.



bg>  You  can  add Kaspersky 4.5x to the list of products

you can bypass this
way.  Previous  KAV  4.0  versions  (and  3.x 
version,  actually it was
F-Secure  engine)  had kernel driver and it was used
during manual scan,
probably  these version are not vulnerable. I didn't
saw 5.x yet, but it
is expected to be vulnerable too.

F-Secure  (at  least  older  versions)  should  not
be vulnerable, but I
didn't tested.



                
bg> __________________________________
bg> Do you Yahoo!?
bg> Yahoo! Mail - 50x more storage than other providers!
bg> http://promotions.yahoo.com/new_mail

bg> _______________________________________________
bg> Full-Disclosure - We believe in it.
bg> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
В расчетах была ошибка.  (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV], (continued)
- - Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
  - Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
- All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
  - Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)
    - Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
    - Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
    - Re: (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
    - Re: (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
    - Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)
    - Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
    - Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 03)
    - Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] Kolja Powischer (Oct 04)
- Re: Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] lee . e . rian (Oct 04)