Full Disclosure mailing list archives
RE: Re: [Private]Multiple AV VendorIncorrectCRC32BypassVulnerability.
From: "Steve Scholz" <steve_scholz () sybari com>
Date: Sat, 12 Mar 2005 14:16:02 -0500
Hi Bipin, By design Eicar needs to be the exact string and on the first line with nothing else following it. So the file is not actually an Eicar I get this with advanced zip repair. So now we won't detect this because it is not Eicar. X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK /é0DFµ-ÿ ÿ eicar.comPK 7 k Steve Scholz Corporate Sales Engineer-North America Sybari Software, Inc. 631-630-8556 Direct 516-903-2464 Mobile Email: Steve_scholz () sybari com MSN IM:Steve_Scholz () Msn com (email never checked) -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of bipin gautam Sent: Saturday, March 12, 2005 1:03 PM To: Steve Scholz Cc: vuln () secunia com; full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: [Full-disclosure] Re: [Private]Multiple AV VendorIncorrectCRC32BypassVulnerability. Steve, firstly... thankyou for all your coments.
The Antigen_s.zip does not contain a valid Eicar this info when repaired and opened is X5O!P%@AP[4\PZX We did catch it with a file filter. What was your intent with these files?
OOPS! again my fault!!! TRY: http://www.geocities.com/visitbipin/Antigen.zip my intension was to show, if the archive has compressed size and uncompressed size set to greater than the actual file size or less than the actual file size there are many AV that can't scan the file properly. send http://www.geocities.com/visitbipin/Antigen.zip to virustotal.com and see for yourself!!! Download Accelerator successfully repairs this archive with some garbage data \x00 at the end "255 bytes" Though, i was able to successfully execute eicar.com -bipin updates at: http://www.geocities.com/visitbipin/crc.html ___________________My report!_______________________ This is a report processed by VirusTotal on 03/12/2005 at 18:38:32 (CET) after scanning the file "Antigen.zip" file. Antivirus Version Update Result AntiVir 6.30.0.5 03.11.2005 Eicar-Test-Signature AVG 718 03.11.2005 EICAR_Test (+187) BitDefender 7.0 03.12.2005 no virus found ClamAV devel-20050307 03.10.2005 Eicar-Test-Signature DrWeb 4.32b 03.12.2005 no virus found eTrust-Iris 7.1.194.0 03.12.2005 no virus found eTrust-Vet 11.7.0.0 03.11.2005 no virus found Fortinet 2.51 03.11.2005 no virus found F-Prot 3.16a 03.11.2005 EICAR_Test_File Ikarus 2.32 03.11.2005 EICAR-ANTIVIRUS-TESTFILE Kaspersky 4.0.2.24 03.12.2005 EICAR-Test-File McAfee 4445 03.11.2005 no virus found NOD32v2 1.1024 03.11.2005 archive damaged Norman 5.70.10 03.10.2005 no virus found Panda 8.02.00 03.12.2005 Eicar.Mod Sybari 7.5.1314 03.12.2005 no virus found Symantec 8.0 03.11.2005 no virus found __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- RE: Re: [Private]Multiple AV VendorIncorrectCRC32BypassVulnerability. Steve Scholz (Mar 12)
- <Possible follow-ups>
- RE: Re: [Private]Multiple AV VendorIncorrectCRC32BypassVulnerability. bipin gautam (Mar 12)
- RE: Re: [Private]Multiple AV VendorIncorrectCRC32BypassVulnerability. bipin gautam (Mar 12)