lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: visitbipin at yahoo.com (bipin gautam) Subject: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability hi iDEFENSE, What a coincidence, This is what i was talking about with few others in the list... a day back!!! I myself saw this behavoir...... (i was a few days short) hay guys you were telling me, "Antiviral vendors aware about this problem, it was discussed in past." so??? iDEFENSE took away my upcomming advisort. )O; 3APA3A, do you work for iDEFENSE??????? ANYWAYS, this isn't a first time a advisory has coinside with other........ cheese, bipin --- 3APA3A <3APA3A@...URITY.NNOV.RU> wrote: > Dear bipin gautam, > > Actually my super antivirus easily detects > eicar in nul.con. For > example, for c:\NUL.CON\eicar.com > > try > > antieicar \\.\c:\NUL.CON\eicar.com > > Antiviral vendors aware about this problem, it was > discussed in past. > > --Saturday, October 2, 2004, 9:57:52 PM, you wrote > to full-disclosure@...ts.netsys.com: > > > >> OK. I just wrote new super antivirus. It's > >> databases currently consist > >> from only eicar.com signature (I'm very new > in > >> this business) but it > >> 100% detects EICAR in the file with removed > >> permissions :) > >> > >> http://www.security.nnov.ru/files/antieicar.zip > > >> Now, there is at least one antivirus to break > your > >> statement :) > >> > > > bg> good example 3APA3A to teach those software > companies > bg> howto, > > bg> anyways... here is a archive, > > bg> http://www.geocities.com/visitbipin/antiPOC.zip > > bg> Extract the archive by using "DEFAULT ZIP > MANAGER" of > bg> windows xp. It will create a file "NULL.con" (O; > bg> within which there is a "eicar test string > file". > > bg> I don't think your super AV will detect the > "eicar > bg> test string file" withing "NULL.con" folder??? > :) > > bg> anyways... let me know HOW? when you figure out > to how > bg> to delete "NULL.con" directory. > > > The problem specifically exists in attempts to scan > files and > directories named as reserved MS-DOS devices. > Reserved MS-DOS device > names are a hold over from the original days of > Microsoft DOS. The > reserved MS-DOS device names represent devices such > as the first printer > port (LPT1) and the first serial communication port > (COM1). Sample > reserved MS-DOS device names include AUX, CON, PRN, > COM1 and LPT1. If a > virus stores itself in a reserved device name it can > avoid detection by > Symantec Norton AntiVirus when the system is > scanned. Symantec Norton > AntiVirus will scan the files and folders containing > the virus and fail > to detect or report them. reserved device names can > be creating with > standard Windows utilities by specifying the full > Universal Naming > Convention (UNC) path. The following command will > successfully copy a > file to the reserved device name 'aux' on the C:\ > drive: > > copy source \\.\C:\aux > > _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Powered by blists - more mailing lists