lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat Jun 10 22:36:33 2006
From: thegesus at gmail.com (TheGesus)
Subject: McAfee VirusScan Enterprise 8.0.0 Misidentifies
	EICAR Test File

REVISION 1.1
===========
Without "offensive" language.


PROBLEM
========

McAfee VirusScan Enterprise 8.0.0 (tested unpatched and with Patch 11)
using the 4781 DAT file (dated 06/09/2006, perhaps also previous) and
engine 4400 incorrectly identifies the "industry standard" EICAR test
file as Elspy.worm .


PROOF OF CONCEPT
=================
@echo off
:looper
REM Make file >128 bytes #################
REM ######################################
REM ######################################
REM ######################################
echo X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>testfile
goto looper

Cut & paste the above into Notepad (lines may wrap), save as a Windows
CMD file & run it.

VirusScan will report an instance of Elspy.worm once every three seconds (YMMV).


RISK FACTOR
===========
I dunno... you could probably make your "Enterprise AntiVirus
Administrator" look like a clueless idiot.  That's always fun!


ADMISSION OF LAMENESS
=====================
Yes, this is lame.  It is also stupid that an "Enterprise" antivirus
package cannot identify an EICAR test file properly.  That's not MY
problem.  Also, I did ZERO research on this so if someone else has
already published, mea culpa.


VENDOR NOTIFICATION
==================
None.


HOLLA
=====
Greetz to Dad & the Woolly Spook!

Powered by blists - more mailing lists