lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4063464C.28986.2C2C2841@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Re: text

Bennett Todd <bet@...ul.net> felt compelled to burble:

> If you want to really enjoy the pleasure of idiot false-positives
> from weak virus-scanners, just use this as your .sig, or better yet
> bodge it into a header:
> 
> 	X5O!P%@AP[4\\PZX54(P^)7CC)7}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H+H*
> 
> I did that for a good while, turned up no false positives from folks
> whose software was clueful, and I have to say surprisingly few in
> any case.  ...

_Any_ would be most odd, for if you really used the precise above 
string, you were _not_ including the EICAR standard antivirus test 
string, but a C-quoted (?) version thereof.  Repeating the string you 
claim you used:

>  X5O!P%@AP[4\\PZX54(P^)7CC)7}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H+H*
              ^^               ^^                                   ^^
              ||               ||                                   ||

The marks indicate places where a "\" is incorrectly present relative 
to the "real" EICAR standard antivirus test string.

>  ...  False-positiving on sig-matches in normal text bodies is
> just plain rare. He says. Now I'll probably be mowed down for this
> post:-).

Well, if you are going to post something technical to a technical list 
and just get it plain wrong, you kinda gotta expect that...

> P.S. In case anybody cares, the above cryptic voodoo is the EICAR
> test pattern, presented as a distinct file it comes up positive in
> all virus scanners.

In case anyone really cares about the above cryptic voodoo, the real 
version of the EICAR standard antivirus test string can be found at its 
own homepage on EICAR's web site:

   http://www.eicar.org/anti_virus_test_file.htm

(For the especially interested, and not described on the EICAR web 
page, this string is a valid DOS .COM program file and will execute if 
run on a suitable platform, displaying the obvious message.  It is an 
example of what is sometimes referred to as "executable ASCII", 
providing an interesting exercise to analyse how it works.)


Regards,

Nick FitzGerald


Powered by blists - more mailing lists