lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun Jun 11 01:49:44 2006
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: McAfee VirusScan Enterprise 8.0.0 Misidentifies
	EICAR Test File

TheGesus wrote:

> REVISION 1.1
> ===========
> Without "offensive" language.

Where's the fun in that??    8-)

> PROBLEM
> ========
> 
> McAfee VirusScan Enterprise 8.0.0 (tested unpatched and with Patch 11)
> using the 4781 DAT file (dated 06/09/2006, perhaps also previous) and
> engine 4400 incorrectly identifies the "industry standard" EICAR test
> file as Elspy.worm .

Actually, it doesn't.

I mean, I take your word for it that, in your testing, VirusScan 
detected "Elspy.worm" as a result of running that .CMD file  (my own 
tests with a  console version of VirusScan against the "testfile" 
resulting from the following reported "Found the Elspy.worm virus !!!", 
so I'm happy to accept the on-access scanner will do something 
similar), but VirusScan is NOT detecting this in 'the "industry 
standard" EICAR test file'.

> PROOF OF CONCEPT
> =================
> @echo off
> :looper
> REM Make file >128 bytes #################
> REM ######################################
> REM ######################################
> REM ######################################
> echo X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>testfile
> goto looper
> 
> Cut & paste the above into Notepad (lines may wrap), save as a Windows
> CMD file & run it.

You mention "CMD" so I'm assuming the versions(s) of Windows you tested 
this on were NT-based rather than Win16 or Win9x.

> VirusScan will report an instance of Elspy.worm once every three seconds (YMMV).

As I already said, I'll take your word for this detection, BUT your 
claim is outright wrong.

Did you actually look at the "testfile" created by your na?ve .CMD 
file?

The first thing I noticed was that it was the wrong size.  I expected 
it would be 69 bytes (more on why in a moment), but in fact it was even 
shorter at 68 bytes.

68 bytes is the length of the bare test string.  The official EICAR 
specification for the test file:

   http://www.eicar.org/anti_virus_test_file.htm

says that the file MUST start with the 68-byte string we see in your 
.CMD file and that it "may be optionally appended by any combination of 
whitespace characters with the total file length not exceeding 128 
characters. The only whitespace characters allowed are the space 
character, tab, LF, CR, CTRL-Z."

As the ECHO command necessarily emits a CRLF line-break, had your .CMD 
file worked as expected, one would have seen "testfile" at 70 bytes 
(the 68 of the EICAR test string, plus the two from ECHO's CRLF).

I said I was, however, expecting it to be 69 bytes.  Why?

Well, you did not escape the "%" character (the sixth in the EICAR test 
string), and _within .BAT and .CMD file_ these have special meaning, 
such that they are stripped unless protected by escaping ("%%"), and 
possibly in some instances with quoting.

In actuality though, "testfile" ends up being 68 bytes.  A quick look 
at "testfile" shows that the caret ("^"; the 20th character in the 
EICAR test string) has also been dropped, reminding me that it is also 
a special character (even at the bare commandline this time) and must 
also be escaped/quoted if intended to be treated as a literal.

> RISK FACTOR
> ===========
> I dunno... you could probably make your "Enterprise AntiVirus
> Administrator" look like a clueless idiot.  That's always fun!

If this makes him/her look any more of a clueless idiot than it makes 
you look, then I guess, as they say, your organization has bigger 
problems...

> ADMISSION OF LAMENESS
> =====================
> Yes, this is lame.  It is also stupid that an "Enterprise" antivirus
> package cannot identify an EICAR test file properly.  That's not MY
> problem.  Also, I did ZERO research on this so if someone else has
> already published, mea culpa.

Now, I'm not entirely disagreeing that it is strange that VirusScan 
detects this weirdly mutant, "non-EICAR test file", but it certainly is 
NOT mis-identifying 'the "industry standard" EICAR test file'.

As for your lameness in missing that the file you were generating was 
NOT the file you were trying to generate -- I'll leave that up to 
others to decide...

> VENDOR NOTIFICATION
> ==================
> None.

Pity -- you might have saved yourself the embarrassment of this public 
disclosure of your lameness.

> HOLLA
> =====
> Greetz to Dad & the Woolly Spook!

They must be sooooo proud of you...


Regards,

Nick FitzGerald

Powered by blists - more mailing lists