lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: steve_scholz at sybari.com (Steve Scholz)
Subject: Re: [Private]Multiple AV
	VendorIncorrectCRC32BypassVulnerability.

Hi Bipin,
By design Eicar needs to be the exact string and on the first line with nothing else following it. So the file is not actually an Eicar I get this with advanced zip repair. So now we won't detect this because it is not Eicar.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK...

     ./?0DF?-?   ?   	       .         eicar.comPK..    . . 7   k  

Steve Scholz
Corporate Sales Engineer-North America
Sybari Software, Inc.
631-630-8556 Direct
516-903-2464 Mobile

Email:  Steve_scholz@...ari.com

MSN IM:Steve_Scholz@....com (email never checked) 




-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of bipin gautam
Sent: Saturday, March 12, 2005 1:03 PM
To: Steve Scholz
Cc: vuln@...unia.com; full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: [Full-disclosure] Re: [Private]Multiple AV VendorIncorrectCRC32BypassVulnerability.

Steve,
firstly... thankyou for all your coments.

> The Antigen_s.zip does not contain a valid Eicar
> this info when repaired
> and opened is X5O!P%@AP[4\PZX
> We did catch it with a file filter.
> What was your intent with these files?

OOPS! again my fault!!!
TRY: http://www.geocities.com/visitbipin/Antigen.zip

my intension was to show, if the archive has
compressed size and uncompressed size set to greater
than the actual file size or less than the actual file
size there are many AV that can't scan the file
properly.

send  http://www.geocities.com/visitbipin/Antigen.zip
 to virustotal.com and see for yourself!!!

Download Accelerator successfully repairs this archive
with some garbage data \x00 at the end "255 bytes"
Though, i was able to successfully execute eicar.com

-bipin
updates at:
http://www.geocities.com/visitbipin/crc.html
___________________My report!_______________________
This is a report processed by VirusTotal on 03/12/2005
at 18:38:32 (CET) after scanning the file
"Antigen.zip" file. 
 
Antivirus	Version	Update	Result	   
AntiVir	6.30.0.5 03.11.2005	Eicar-Test-Signature	   
AVG	718	03.11.2005	EICAR_Test (+187)	   
BitDefender 7.0	03.12.2005      no virus found	   
ClamAV	devel-20050307	03.10.2005 Eicar-Test-Signature	
  
DrWeb	4.32b	03.12.2005 no virus found	   
eTrust-Iris 7.1.194.0 03.12.2005 no virus found	   
eTrust-Vet 11.7.0.0 03.11.2005 no virus found	   
Fortinet 2.51	03.11.2005	no virus found	   
F-Prot	3.16a	03.11.2005	EICAR_Test_File	   
Ikarus	2.32	03.11.2005	EICAR-ANTIVIRUS-TESTFILE	   
Kaspersky	4.0.2.24	03.12.2005	EICAR-Test-File	   
McAfee	4445	03.11.2005	no virus found	   
NOD32v2	1.1024	03.11.2005	archive damaged	   
Norman	5.70.10	03.10.2005	no virus found	   
Panda	8.02.00	03.12.2005	Eicar.Mod	   
Sybari	7.5.1314 03.12.2005	no virus found	   
Symantec 8.0	03.11.2005	no virus found	 



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/



Powered by blists - more mailing lists