lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]

Dear bipin gautam,

Actually  my  super  antivirus  easily  detects  eicar  in  nul.con. For
example, for c:\NUL.CON\eicar.com

try

antieicar \\.\c:\NUL.CON\eicar.com

Antiviral vendors aware about this problem, it was discussed in past.

--Saturday, October 2, 2004, 9:57:52 PM, you wrote to full-disclosure@...ts.netsys.com:

 
>> OK.  I  just wrote new super antivirus. It's
>> databases currently consist
>> from  only  eicar.com  signature  (I'm very new in
>> this business) but it
>> 100% detects EICAR in the file with removed
>> permissions :)
>> 
>> http://www.security.nnov.ru/files/antieicar.zip

>> Now, there is at least one antivirus to break your
>> statement :)
>> 


bg> good example 3APA3A to teach those software companies
bg> howto, 

bg> anyways... here is a archive, 

bg> http://www.geocities.com/visitbipin/antiPOC.zip

bg> Extract the archive by using "DEFAULT ZIP MANAGER" of
bg> windows xp. It will create a file "NULL.con" (O;
bg> within which there is a "eicar test string file". 

bg> I don't think your super AV will detect the "eicar
bg> test string file" withing "NULL.con" folder??? :)

bg> anyways... let me know HOW? when you figure out to how
bg> to delete "NULL.con" directory.



bg>  You  can  add Kaspersky 4.5x to the list of products
>> you can bypass this
>> way.  Previous  KAV  4.0  versions  (and  3.x 
>> version,  actually it was
>> F-Secure  engine)  had kernel driver and it was used
>> during manual scan,
>> probably  these version are not vulnerable. I didn't
>> saw 5.x yet, but it
>> is expected to be vulnerable too.
>> 
>> F-Secure  (at  least  older  versions)  should  not
>> be vulnerable, but I
>> didn't tested.


		
bg> __________________________________
bg> Do you Yahoo!?
bg> Yahoo! Mail - 50x more storage than other providers!
bg> http://promotions.yahoo.com/new_mail

bg> _______________________________________________
bg> Full-Disclosure - We believe in it.
bg> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
? ???????? ???? ??????.  (???)


Powered by blists - more mailing lists