lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Subject: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability

Dear bipin gautam,

This  issue  was really discussed in the past and was fixed in Kaspersky

I  do  work  for  iDefense.  They pay for Mozilla bugs more than Mozilla
does. But not in this case. As you can see

-=-=-=- Quote -=-=-=-

Kurt Seifried (kurt[at] is credited with this discovery.
-=-=-=-  End -=-=-=-

I  never submitted any antiviral bugs to iDefense, but both iDefense and
Kurt Seifried may read security lists. Yes, Kurt tested Symantec against
good well known problem.

--Wednesday, October 6, 2004, 7:02:46 AM, you wrote to

bg> hi iDEFENSE,

bg> What a coincidence, This is what i was talking about
bg> with few others in the list... a day 
bg> back!!! I myself saw this behavoir...... (i was a few
bg> days short) hay guys you were telling me, "Antiviral
bg> vendors aware about this problem, it was discussed in
bg> past." so??? iDEFENSE took away my upcomming advisort.
bg> )O;

bg> 3APA3A, do you work for iDEFENSE???????

bg> ANYWAYS, this isn't a first time a advisory has
bg> coinside with other........

bg> cheese,
bg> bipin

bg> --- 3APA3A <3APA3A@...URITY.NNOV.RU> wrote:

>> Dear bipin gautam,
>> Actually  my  super  antivirus  easily  detects 
>> eicar  in  nul.con. For
>> example, for c:\NUL.CON\
>> try
>> antieicar \\.\c:\NUL.CON\
>> Antiviral vendors aware about this problem, it was
>> discussed in past.
>> --Saturday, October 2, 2004, 9:57:52 PM, you wrote
>> to
>> >> OK.  I  just wrote new super antivirus. It's
>> >> databases currently consist
>> >> from  only  signature  (I'm very new
>> in
>> >> this business) but it
>> >> 100% detects EICAR in the file with removed
>> >> permissions :)
>> >> 
>> >>
>> >> Now, there is at least one antivirus to break
>> your
>> >> statement :)
>> >> 
>> bg> good example 3APA3A to teach those software
>> companies
>> bg> howto, 
>> bg> anyways... here is a archive, 
>> bg>
>> bg> Extract the archive by using "DEFAULT ZIP
>> MANAGER" of
>> bg> windows xp. It will create a file "NULL.con" (O;
>> bg> within which there is a "eicar test string
>> file". 
>> bg> I don't think your super AV will detect the
>> "eicar
>> bg> test string file" withing "NULL.con" folder???
>> :)
>> bg> anyways... let me know HOW? when you figure out
>> to how
>> bg> to delete "NULL.con" directory.

>> The problem specifically exists in attempts to scan
>> files and
>> directories named as reserved MS-DOS devices.
>> Reserved MS-DOS device
>> names are a hold over from the original days of
>> Microsoft DOS. The
>> reserved MS-DOS device names represent devices such
>> as the first printer
>> port (LPT1) and the first serial communication port
>> (COM1). Sample
>> reserved MS-DOS device names include AUX, CON, PRN,
>> COM1 and LPT1. If a
>> virus stores itself in a reserved device name it can
>> avoid detection by
>> Symantec Norton AntiVirus when the system is
>> scanned. Symantec Norton
>> AntiVirus will scan the files and folders containing
>> the virus and fail
>> to detect or report them. reserved device names can
>> be creating with
>> standard Windows utilities by specifying the full
>> Universal Naming
>> Convention (UNC) path. The following command will
>> successfully copy a
>> file to the reserved device name 'aux' on the C:\
>> drive:
>>     copy source \\.\C:\aux

bg> _______________________________
bg> Do you Yahoo!?
bg> Declare Yourself - Register online to vote today!

bg> _______________________________________________
bg> Full-Disclosure - We believe in it.
bg> Charter:

?? ? ??????, ??????, ?????????? ???????????? ??? ?????? ???????. (????)

Powered by blists - more mailing lists