[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile
- To: auto9115@xxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile
- From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
- Date: Wed, 17 Sep 2003 19:39:57 +0400
Dear auto9115@xxxxxxxxxxxx,
--Tuesday, September 16, 2003, 11:59:22 PM, you wrote to
full-disclosure@xxxxxxxxxxxxxxxx:
ahc> Like any antivirus scanner, Symantec detects the Eicar test virus
ahc> (eicar.exe or eicar.txt). At least, at first glance it appears to
ahc> detect it. However, you can easily defeat this by adding a few
ahc> bytes of random text before or after the Eicar string. For example,
ahc> if you use a hex/text editor
Probably you misunderstand what antiviral signature is. It's not some
virus substring. Than researching virus, antiviral vendor makes an
algorithm to catch virus behavior. If this virus is mutating, all
_possible_ mutations must be catched by signature. The problem is, EICAR
with 'few random bytes' is not possible mutation for EICAR, so catching
it is not required for antiviral product :). And even more: catching
changed EICAR string is invalid behaviour. In this case, you will not be
able to read EICAR string on the web page or read it in e-mail message,
as it was suggested by EICAR developers, because your antivirus will
incorrectly think message or page is infected.
--
~/ZARAZA
Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html