[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: [Full-Disclosure] All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]

To: bipin gautam <visitbipin@xxxxxxxxx>
Subject: Re[2]: [Full-Disclosure] All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Sun, 3 Oct 2004 12:31:26 +0400

Dear bipin gautam,

Actually  my  super  antivirus  easily  detects  eicar  in  nul.con. For
example, for c:\NUL.CON\eicar.com

try

antieicar \\.\c:\NUL.CON\eicar.com

Antiviral vendors aware about this problem, it was discussed in past.

--Saturday, October 2, 2004, 9:57:52 PM, you wrote to 
full-disclosure@xxxxxxxxxxxxxxxx:

 
>> OK.  I  just wrote new super antivirus. It's
>> databases currently consist
>> from  only  eicar.com  signature  (I'm very new in
>> this business) but it
>> 100% detects EICAR in the file with removed
>> permissions :)
>> 
>> http://www.security.nnov.ru/files/antieicar.zip

>> Now, there is at least one antivirus to break your
>> statement :)
>> 


bg> good example 3APA3A to teach those software companies
bg> howto, 

bg> anyways... here is a archive, 

bg> http://www.geocities.com/visitbipin/antiPOC.zip

bg> Extract the archive by using "DEFAULT ZIP MANAGER" of
bg> windows xp. It will create a file "NULL.con" (O;
bg> within which there is a "eicar test string file". 

bg> I don't think your super AV will detect the "eicar
bg> test string file" withing "NULL.con" folder??? :)

bg> anyways... let me know HOW? when you figure out to how
bg> to delete "NULL.con" directory.



bg>  You  can  add Kaspersky 4.5x to the list of products
>> you can bypass this
>> way.  Previous  KAV  4.0  versions  (and  3.x 
>> version,  actually it was
>> F-Secure  engine)  had kernel driver and it was used
>> during manual scan,
>> probably  these version are not vulnerable. I didn't
>> saw 5.x yet, but it
>> is expected to be vulnerable too.
>> 
>> F-Secure  (at  least  older  versions)  should  not
>> be vulnerable, but I
>> didn't tested.


                
bg> __________________________________
bg> Do you Yahoo!?
bg> Yahoo! Mail - 50x more storage than other providers!
bg> http://promotions.yahoo.com/new_mail

bg> _______________________________________________
bg> Full-Disclosure - We believe in it.
bg> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
В расчетах была ошибка.  (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re[2]: [Full-Disclosure] All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]
  - From: 3APA3A
- Re: [Full-Disclosure] All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]
  - From: bipin gautam

Prev by Date: Re: [Full-Disclosure] XP Remote Desktop Remote Activation
Next by Date: Re: [Full-Disclosure] XP Remote Desktop Remote Activation
Previous by thread: Re: [Full-Disclosure] All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]
Next by thread: Re[2]: [Full-Disclosure] All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]
Index(es):
- Date
- Thread