Nmap Development mailing list archives

Re: False positives on antivirus

From: Michael Pattrick <mpattrick () rhinovirus org>
Date: Thu, 28 Jan 2010 13:43:10 -0500

On Thu, Jan 28, 2010 at 10:57 AM, Ron <ron () skullsecurity net> wrote:

1. Encode the file in a simple way
--> Didn't work in the simplest case, because some a/v still detects it

Out of curiosity, what did you try?

2. Encrypt the file properly
--> No reason that it wouldn't work (though I've said that before and was very wrong ;) )
--> Dependency on OpenSSL (dependency already exists)
--> Will take me awhile to implement (I'm going to be rather busy for the next month or so)


I'd argue that we don't need to go as far as a dependency on OpenSSL
just to trick antivirus programs. The attached file implements a
simple - small - stream cipher, which should be able to trick all
antiviruses. The encryption operation is the same as the decryption
operations, so it should be convenient to use.

-M

Attachment: streamC.cpp
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Michael Pattrick (Jan 28)
  - Re: False positives on antivirus Ron (Jan 28)
- Re: False positives on antivirus Fyodor (Jan 28)
  - Re: False positives on antivirus Ron (Jan 29)
    - Re: False positives on antivirus DePriest, Jason R. (Jan 29)
    - Re: False positives on antivirus Brandon Enright (Jan 29)
    - Re: False positives on antivirus Fyodor (Jan 29)
    - Re: False positives on antivirus Fyodor (Jan 29)
- Re: False positives on antivirus Fyodor (Feb 02)
  - Re: False positives on antivirus David Fifield (Feb 12)
    - Re: False positives on antivirus Ron (Feb 12)

(Thread continues...)