lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: visitbipin at yahoo.com (bipin gautam) Subject: Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability. > While it might be a vulnerability if the file is > extracted which it hasto be to be executed the > desktop scanner will detect it at that time. > Multiple layers of defense is your best option > As far as number 3 Antigen detects Eicar. YAP, i never reported Antigen vulnerable to the 3'rd one. Though, In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f Antigen is also seem to be vulnerable! While most unzip utilities are transperently able to extract SUCH* archive without any problem! Though,currently my only source of verifying this is via www.virustotal.com and some others. [Go, TRY IT THEER!] http://www.geocities.com/visitbipin/gpbf.zip > I can see if there is anything > else that you do not > think Antigen is doing correctly. (O; For instant, In the 'local file header" & "data descriptor" if you change the compressed size and uncompressed size to ZERO[iDEFENSE] or greater than the actual file size or less than the actual file size still there are many AV that can't scan the file properly. http://www.geocities.com/visitbipin/Antigen_b.zip http://www.geocities.com/visitbipin/Antigen_s.zip Moreover there are unzip utilities that goes to a loop if the filesize is changed to ffffffff ! Lets hope, AV don't have such faulty code! Just run the file through www.virustotal.com and you'll see. (I know, they aren't using up-to-date scan engine) Thanks, bipin __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
Powered by blists - more mailing lists