lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: visitbipin at yahoo.com (bipin gautam)
Subject: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

hi iDEFENSE,

What a coincidence, This is what i was talking about
with few others in the list... a day 
back!!! I myself saw this behavoir...... (i was a few
days short) hay guys you were telling me, "Antiviral
vendors aware about this problem, it was discussed in
past." so??? iDEFENSE took away my upcomming advisort.
)O;

3APA3A, do you work for iDEFENSE???????

ANYWAYS, this isn't a first time a advisory has
coinside with other........

cheese,
bipin

--- 3APA3A <3APA3A@...URITY.NNOV.RU> wrote:

> Dear bipin gautam,
> 
> Actually  my  super  antivirus  easily  detects 
> eicar  in  nul.con. For
> example, for c:\NUL.CON\eicar.com
> 
> try
> 
> antieicar \\.\c:\NUL.CON\eicar.com
> 
> Antiviral vendors aware about this problem, it was
> discussed in past.
> 
> --Saturday, October 2, 2004, 9:57:52 PM, you wrote
> to full-disclosure@...ts.netsys.com:
> 
>  
> >> OK.  I  just wrote new super antivirus. It's
> >> databases currently consist
> >> from  only  eicar.com  signature  (I'm very new
> in
> >> this business) but it
> >> 100% detects EICAR in the file with removed
> >> permissions :)
> >> 
> >> http://www.security.nnov.ru/files/antieicar.zip
> 
> >> Now, there is at least one antivirus to break
> your
> >> statement :)
> >> 
> 
> 
> bg> good example 3APA3A to teach those software
> companies
> bg> howto, 
> 
> bg> anyways... here is a archive, 
> 
> bg> http://www.geocities.com/visitbipin/antiPOC.zip
> 
> bg> Extract the archive by using "DEFAULT ZIP
> MANAGER" of
> bg> windows xp. It will create a file "NULL.con" (O;
> bg> within which there is a "eicar test string
> file". 
> 
> bg> I don't think your super AV will detect the
> "eicar
> bg> test string file" withing "NULL.con" folder???
> :)
> 
> bg> anyways... let me know HOW? when you figure out
> to how
> bg> to delete "NULL.con" directory.
> 
> 

> The problem specifically exists in attempts to scan
> files and
> directories named as reserved MS-DOS devices.
> Reserved MS-DOS device
> names are a hold over from the original days of
> Microsoft DOS. The
> reserved MS-DOS device names represent devices such
> as the first printer
> port (LPT1) and the first serial communication port
> (COM1). Sample
> reserved MS-DOS device names include AUX, CON, PRN,
> COM1 and LPT1. If a
> virus stores itself in a reserved device name it can
> avoid detection by
> Symantec Norton AntiVirus when the system is
> scanned. Symantec Norton
> AntiVirus will scan the files and folders containing
> the virus and fail
> to detect or report them. reserved device names can
> be creating with
> standard Windows utilities by specifying the full
> Universal Naming
> Convention (UNC) path. The following command will
> successfully copy a
> file to the reserved device name 'aux' on the C:\
> drive:
> 
>     copy source \\.\C:\aux
> 
>


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com


Powered by blists - more mailing lists