lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat Jun 10 22:36:33 2006 From: thegesus at gmail.com (TheGesus) Subject: McAfee VirusScan Enterprise 8.0.0 Misidentifies EICAR Test File REVISION 1.1 =========== Without "offensive" language. PROBLEM ======== McAfee VirusScan Enterprise 8.0.0 (tested unpatched and with Patch 11) using the 4781 DAT file (dated 06/09/2006, perhaps also previous) and engine 4400 incorrectly identifies the "industry standard" EICAR test file as Elspy.worm . PROOF OF CONCEPT ================= @echo off :looper REM Make file >128 bytes ################# REM ###################################### REM ###################################### REM ###################################### echo X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>testfile goto looper Cut & paste the above into Notepad (lines may wrap), save as a Windows CMD file & run it. VirusScan will report an instance of Elspy.worm once every three seconds (YMMV). RISK FACTOR =========== I dunno... you could probably make your "Enterprise AntiVirus Administrator" look like a clueless idiot. That's always fun! ADMISSION OF LAMENESS ===================== Yes, this is lame. It is also stupid that an "Enterprise" antivirus package cannot identify an EICAR test file properly. That's not MY problem. Also, I did ZERO research on this so if someone else has already published, mea culpa. VENDOR NOTIFICATION ================== None. HOLLA ===== Greetz to Dad & the Woolly Spook!
Powered by blists - more mailing lists