| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mjp-bugtraq at securepipe.com (Michael J. Pomraning) Subject: Re: Unfiltered escape sequences in filenames contained in ZIP archives wouldn't be escaped on displaying or logging, and can also lead to bypass AV scanning On Mon, 14 Mar 2005, Dr. Peter Bieringer wrote: > during investigation of Sober.l we got the idea to replace the spaces of a > filename contained in the ZIP archive by some escape sequences. > [...] > > Also we found that at least 2 AV scan programs from 2 vendors do not detect > the virus inside and report "clean" instead. I think Sophos passes the test. I find that the underlying API (as exposed by a python wrapper) is able to detect the viruses in all cases. For the command line "sweep" utility, try adding the "-all" switch to your invocation: $ /usr/local/bin/sweep -ss -archive -all unfiltered-escape-sequences-in-filename-eicar.zip >>> Virus 'EICAR-AV-Test' found in file unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHACKER ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com $ md5sum unfiltered-escape-sequences-in-filename-eicar.zip 38363004047dc11b206305bd3660d68f unfiltered-escape-sequences-in-filename-eicar.zip This is using engine 2.28.4, as in your tests. The consituent filenames are escaped before being displayed, too (sadly excepting ASCII BEL). Regards, Mike
Powered by blists - more mailing lists