lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F6C3E684F292D14E9BC8A6626231455C04A6C2@exchange.positivenetworks.net>
From: jason at positivenetworks.net (Jason Sloderbeck)
Subject: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile

See the definition of the EICAR test file:
http://www.eicar.org/anti_virus_test_file.htm

"Any anti-virus product that supports the EICAR test file should detect
it in any file providing that the file starts with the following 68
characters, and is exactly 68 bytes long."

-Jason

-----Original Message-----
From: auto9115@...hmail.com [mailto:auto9115@...hmail.com] 
Sent: Tuesday, September 16, 2003 2:59 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Exploiting Multiple Flaws in Symantec
Antivirus 2004 for Windows Mobile


Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile
Version tested: 3.0.0.194 (latest version)
Date: Sept. 13, 2003

Background: Viruses have started to show up on Personal Data Assistants
(PDAs) and handheld wireless devices. Although there are currently no
viruses in the wild that infect the Windows CE operating system, may
companies have released virus scanners for Windows Mobile (formerly
PocketPC).
 Examples include PC-cillin, Airscanner, F-secure, and McAfee. Since
McAfee was recently selected to go OEM on all new Dell Axim handhelds,
 Symantec scrambled to get a product out. They have just released their
final version (available for $39.99 for a one year license), but
unfortunately,
 in the scramble to release it they apparently forgot to test it to see
if it is working ;)

Vulnerability #1: Real-time scanning appears to not work.

Symantec is currently the only AV company that claims to do real-time
scanning in the background on Windows CE. This claim gives them a
significant
market advantage.  However, we can see that it is not true real-time
scanning. For example, if the scanner is active in memory and you open
the famous Eicar test virus (eicar.exe) into RAM, the scanner does not
detect it. It is not until you "save" a copy of a file with the Eicar
to your file system does Symantec detect it.  So it is not real-time
scanning of viral code, but rather just a simple monitor to activate
a scan any time a file is saved.  Therefore, this does not protect
against
hostile code active in RAM.

Vulnerability #2: The Virus scanner does not appear to work at all!

Like any antivirus scanner, Symantec detects the Eicar test virus
(eicar.exe
or eicar.txt). At least, at first glance it appears to detect it.
However,
 you can easily defeat this by adding a few bytes of random text before
or after the Eicar string.  For example, if you use a hex/text editor
to add a few random bytes of text before and after the string, then
Symantec
won't detect it!  However, other AVs easily detect it, as they should.
An AV scanner should be able to detect a byte stream anywhere in the
file, but Symantec is easily bypassed with this rudimentary trick.

These exploits have not been submitted to Bugtraq, since that mailing
list is now owned by  Symantec, and they have more "selective" full
disclosure
than this list.

Don Cheatham
Wireless Network Engineer



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ