lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <WorldClient-F200505091604.AA04480282@butn.net>
Date: Mon, 09 May 2005 16:04:48 +0200
From: "xerces8" <xerces8@...n.net>
To: bugtraq@...urityfocus.com
Subject: Viruses can evade Sophos Anti-Virus


Hi!

Product : Sophos Anti-Virus v3.93 (Client)
(SAV from now on)
OS : Microsoft Windows
Vendor informed ? : CCed on this post


What : Infected files can evade detection and be executed

Procedure :

 - install SAV in client mode.
 - download an infected file (http://www.eicar.org/download/eicar.com from
http://www.eicar.org/anti_virus_test_file.htm is a good test example) to
the Desktop
 - reboot
 - on next boot/login, double click the infected file on the desktop

Result : infected file is executed with no intervention from SAV

Details :

By default SAV does not check files when written, only when read or executed.
Therefore the download does not trigger any warnings.
Note that some download software does not simply save the downloaded file, but
saves it to a temporary location and then copies it to the final destination,
which involves file reading and triggers SAV warning (IE 6.x). Some others,
like wget, try to change the file time and also trigger a warning. FireFox 1.0.3
does no trigger any warning.

On boot/login, SAV is not immediatelly running (can be seen also by the color of the
systray indicator icon , "InterCheck Monitor"). It takes several seconds, depending
on system configuration, until SAV is fully functional. During that time there is no
virus protection. An user can start the file he downloaded in the previous session.

Note : the used example file eicar.com does not work directly in modern windows versions.
For testing I recommend using a short script :
command /c eicar
pause

saved as runit.bat on the Desktop.

Affected software : Sophos Antivirus v3.93 (client mode) on MS Windows Server 2003

Probably affected software :
 - Sophos Anti-Virus v3.93 (client mode) on other Windows versions
 - other antivirus software, that might behave similarly (not tested by message author)

Regards,
David Balazic, computer user




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ