lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <445e3a82.1df1ae7c.1f79.1771@mx.gmail.com>
Date: Sun May  7 19:20:59 2006
From: debasis.mohanty.listmails at gmail.com (Debasis Mohanty)
Subject: RE: Panda Antivirus Enterprise Secure,
	Norton Antivirus 2005 and the virus "I Love You"

Singnature based analysis doesn't apply well incase of script based worms /
virii. The issues here seems to be lack of feature to do an appropriate
analysis of script based worms. 

Symantec is able to block it because, in addition to signature matching it
is also trying to figure out what the script is upto. In this kind of real
time analysis, AV usually look for any kind of possible malicious activity
by the script by intercepting wsh or wscript calls. For example - If a .vbs
, .hta or .wsh file is opened a system then the AV (with real-time
protection) usually look for the presence FileSystemObject calls or
something similar in the file and then block it from getting executed. It
prompts the user to either allow it of disallow it. It may happen that it
sometimes blocks valid scripts with valid calls to fso but like any other
security products these kind of false positives do sneak in.

I am rather surprised that Panda AV doesn't have this basic feature to block
such scripts and is relying only upon signature based analysis. 

Have you also tried this test with Pest Control?? I guess they do have a
nice real time protection. 


-d 


________________________________

From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Niklas
Sent: Saturday, May 06, 2006 10:46 AM
To: Joxean Koret
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] RE: Panda Antivirus Enterprise Secure,Norton
Antivirus 2005 and the virus "I Love You"


Symantec 10 corp. immediately detetcts this as Loveletter.CI through real
time protection when accessing the file within the arhive.
 
/N

 
On 5/4/06, Joxean Koret <joxeankoret@...oo.es> wrote: 

	Sorry, the email was sended without the attachment.
	
	---
	Regards,
	Joxean Koret
	
	> Attached goes a working "I Love You" virus in which 
	> I
	> changed ONLY the variable "dirsystem" with the name
	> "kk2" (The file attached have the extension
	> ".txt.gz",
	> otherwise, with the .vbs extension the file will be 
	> locked by all the most populars anti-viral
	> toolkits).
	
	Disclaimer:
	~~~~~~~~~~~
	
	The information in this advisory and any of its
	demonstrations is provided "as is" without any
	warranty of any kind.
	
	I am not liable for any direct or indirect damages
	caused as a result of using the information or
	demonstrations provided in any part of this
	advisory.
	
	
--------------------------------------------------------------------------- 
	
	Contact:
	~~~~~~~~
	
	       Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
	
	
	
	______________________________________________ 
	LLama Gratis a cualquier PC del Mundo.
	Llamadas a fijos y m?viles desde 1 c?ntimo por minuto.
	http://es.voice.yahoo.com
	
	_______________________________________________ 
	Full-Disclosure - We believe in it.
	Charter: http://lists.grok.org.uk/full-disclosure-charter.html
	Hosted and sponsored by Secunia - http://secunia.com/
	
	
	



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ