[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: text

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Re: text
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Mar 2004 20:51:24 +1200

Bennett Todd <bet@xxxxxxxxx> felt compelled to burble:

> If you want to really enjoy the pleasure of idiot false-positives
> from weak virus-scanners, just use this as your .sig, or better yet
> bodge it into a header:
> 
>       X5O!P%@AP[4\\PZX54(P^)7CC)7}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H+H*
> 
> I did that for a good while, turned up no false positives from folks
> whose software was clueful, and I have to say surprisingly few in
> any case.  ...

_Any_ would be most odd, for if you really used the precise above 
string, you were _not_ including the EICAR standard antivirus test 
string, but a C-quoted (?) version thereof.  Repeating the string you 
claim you used:

>  X5O!P%@AP[4\\PZX54(P^)7CC)7}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H+H*
              ^^               ^^                                   ^^
              ||               ||                                   ||

The marks indicate places where a "\" is incorrectly present relative 
to the "real" EICAR standard antivirus test string.

>  ...  False-positiving on sig-matches in normal text bodies is
> just plain rare. He says. Now I'll probably be mowed down for this
> post:-).

Well, if you are going to post something technical to a technical list 
and just get it plain wrong, you kinda gotta expect that...

> P.S. In case anybody cares, the above cryptic voodoo is the EICAR
> test pattern, presented as a distinct file it comes up positive in
> all virus scanners.

In case anyone really cares about the above cryptic voodoo, the real 
version of the EICAR standard antivirus test string can be found at its 
own homepage on EICAR's web site:

   http://www.eicar.org/anti_virus_test_file.htm

(For the especially interested, and not described on the EICAR web 
page, this string is a valid DOS .COM program file and will execute if 
run on a suitable platform, displaying the obvious message.  It is an 
example of what is sometimes referred to as "executable ASCII", 
providing an interesting exercise to analyse how it works.)


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] Re: text
  - From: morning_wood
- Re: [Full-Disclosure] Re: text
  - From: Bennett Todd

Prev by Date: Re: [Full-Disclosure] Re: text
Next by Date: [Full-Disclosure] Re: OpenSSH attack attempt?
Previous by thread: RE: [Full-Disclosure] Re: text
Next by thread: Re: [Full-Disclosure] Re: text
Index(es):
- Date
- Thread