lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1229005203.20030917193957@SECURITY.NNOV.RU>
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile

Dear auto9115@...hmail.com,

--Tuesday, September 16, 2003, 11:59:22 PM, you wrote to full-disclosure@...ts.netsys.com:

ahc> Like  any  antivirus scanner, Symantec detects the Eicar test virus
ahc> (eicar.exe  or  eicar.txt). At least, at first glance it appears to
ahc> detect  it.  However,  you  can  easily defeat this by adding a few
ahc> bytes of random text before or after the Eicar string. For example,
ahc> if you use a hex/text editor

Probably  you  misunderstand  what antiviral signature is. It's not some
virus  substring.  Than  researching  virus,  antiviral  vendor makes an
algorithm  to  catch  virus  behavior.  If  this  virus is mutating, all
_possible_ mutations must be catched by signature. The problem is, EICAR
with  'few random bytes' is not possible mutation for EICAR, so catching
it  is  not  required  for antiviral product :). And even more: catching
changed EICAR string is invalid behaviour. In this case, you will not be
able  to read EICAR string on the web page or read it in e-mail message,
as  it  was  suggested  by EICAR developers, because your antivirus will
incorrectly think message or page is infected.

-- 
~/ZARAZA
??????? ??????? ??????? ?????? - ? ???? ?????? ????. (????)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ