Full Disclosure mailing list archives
Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Sun, 3 Oct 2004 12:31:26 +0400
Dear bipin gautam, Actually my super antivirus easily detects eicar in nul.con. For example, for c:\NUL.CON\eicar.com try antieicar \\.\c:\NUL.CON\eicar.com Antiviral vendors aware about this problem, it was discussed in past. --Saturday, October 2, 2004, 9:57:52 PM, you wrote to full-disclosure () lists netsys com:
OK. I just wrote new super antivirus. It's databases currently consist from only eicar.com signature (I'm very new in this business) but it 100% detects EICAR in the file with removed permissions :) http://www.security.nnov.ru/files/antieicar.zip
Now, there is at least one antivirus to break your statement :)
bg> good example 3APA3A to teach those software companies bg> howto, bg> anyways... here is a archive, bg> http://www.geocities.com/visitbipin/antiPOC.zip bg> Extract the archive by using "DEFAULT ZIP MANAGER" of bg> windows xp. It will create a file "NULL.con" (O; bg> within which there is a "eicar test string file". bg> I don't think your super AV will detect the "eicar bg> test string file" withing "NULL.con" folder??? :) bg> anyways... let me know HOW? when you figure out to how bg> to delete "NULL.con" directory. bg> You can add Kaspersky 4.5x to the list of products
you can bypass this way. Previous KAV 4.0 versions (and 3.x version, actually it was F-Secure engine) had kernel driver and it was used during manual scan, probably these version are not vulnerable. I didn't saw 5.x yet, but it is expected to be vulnerable too. F-Secure (at least older versions) should not be vulnerable, but I didn't tested.
bg> __________________________________ bg> Do you Yahoo!? bg> Yahoo! Mail - 50x more storage than other providers! bg> http://promotions.yahoo.com/new_mail bg> _______________________________________________ bg> Full-Disclosure - We believe in it. bg> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA В расчетах была ошибка. (Лем) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV], (continued)
- All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re: (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re: (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 03)
- Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] Kolja Powischer (Oct 04)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)