lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4063464C.28986.2C2C2841@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Re: text Bennett Todd <bet@...ul.net> felt compelled to burble: > If you want to really enjoy the pleasure of idiot false-positives > from weak virus-scanners, just use this as your .sig, or better yet > bodge it into a header: > > X5O!P%@AP[4\\PZX54(P^)7CC)7}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H+H* > > I did that for a good while, turned up no false positives from folks > whose software was clueful, and I have to say surprisingly few in > any case. ... _Any_ would be most odd, for if you really used the precise above string, you were _not_ including the EICAR standard antivirus test string, but a C-quoted (?) version thereof. Repeating the string you claim you used: > X5O!P%@AP[4\\PZX54(P^)7CC)7}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H+H* ^^ ^^ ^^ || || || The marks indicate places where a "\" is incorrectly present relative to the "real" EICAR standard antivirus test string. > ... False-positiving on sig-matches in normal text bodies is > just plain rare. He says. Now I'll probably be mowed down for this > post:-). Well, if you are going to post something technical to a technical list and just get it plain wrong, you kinda gotta expect that... > P.S. In case anybody cares, the above cryptic voodoo is the EICAR > test pattern, presented as a distinct file it comes up positive in > all virus scanners. In case anyone really cares about the above cryptic voodoo, the real version of the EICAR standard antivirus test string can be found at its own homepage on EICAR's web site: http://www.eicar.org/anti_virus_test_file.htm (For the especially interested, and not described on the EICAR web page, this string is a valid DOS .COM program file and will execute if run on a suitable platform, displaying the obvious message. It is an example of what is sometimes referred to as "executable ASCII", providing an interesting exercise to analyse how it works.) Regards, Nick FitzGerald
Powered by blists - more mailing lists