[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
- From: bipin gautam <visitbipin@xxxxxxxxx>
- Date: Tue, 5 Oct 2004 20:02:46 -0700 (PDT)
hi iDEFENSE,
What a coincidence, This is what i was talking about
with few others in the list... a day
back!!! I myself saw this behavoir...... (i was a few
days short) hay guys you were telling me, "Antiviral
vendors aware about this problem, it was discussed in
past." so??? iDEFENSE took away my upcomming advisort.
)O;
3APA3A, do you work for iDEFENSE???????
ANYWAYS, this isn't a first time a advisory has
coinside with other........
cheese,
bipin
--- 3APA3A <3APA3A@xxxxxxxxxxxxxxxx> wrote:
> Dear bipin gautam,
>
> Actually my super antivirus easily detects
> eicar in nul.con. For
> example, for c:\NUL.CON\eicar.com
>
> try
>
> antieicar \\.\c:\NUL.CON\eicar.com
>
> Antiviral vendors aware about this problem, it was
> discussed in past.
>
> --Saturday, October 2, 2004, 9:57:52 PM, you wrote
> to full-disclosure@xxxxxxxxxxxxxxxx:
>
>
> >> OK. I just wrote new super antivirus. It's
> >> databases currently consist
> >> from only eicar.com signature (I'm very new
> in
> >> this business) but it
> >> 100% detects EICAR in the file with removed
> >> permissions :)
> >>
> >> http://www.security.nnov.ru/files/antieicar.zip
>
> >> Now, there is at least one antivirus to break
> your
> >> statement :)
> >>
>
>
> bg> good example 3APA3A to teach those software
> companies
> bg> howto,
>
> bg> anyways... here is a archive,
>
> bg> http://www.geocities.com/visitbipin/antiPOC.zip
>
> bg> Extract the archive by using "DEFAULT ZIP
> MANAGER" of
> bg> windows xp. It will create a file "NULL.con" (O;
> bg> within which there is a "eicar test string
> file".
>
> bg> I don't think your super AV will detect the
> "eicar
> bg> test string file" withing "NULL.con" folder???
> :)
>
> bg> anyways... let me know HOW? when you figure out
> to how
> bg> to delete "NULL.con" directory.
>
>
> The problem specifically exists in attempts to scan
> files and
> directories named as reserved MS-DOS devices.
> Reserved MS-DOS device
> names are a hold over from the original days of
> Microsoft DOS. The
> reserved MS-DOS device names represent devices such
> as the first printer
> port (LPT1) and the first serial communication port
> (COM1). Sample
> reserved MS-DOS device names include AUX, CON, PRN,
> COM1 and LPT1. If a
> virus stores itself in a reserved device name it can
> avoid detection by
> Symantec Norton AntiVirus when the system is
> scanned. Symantec Norton
> AntiVirus will scan the files and folders containing
> the virus and fail
> to detect or report them. reserved device names can
> be creating with
> standard Windows utilities by specifying the full
> Universal Naming
> Convention (UNC) path. The following command will
> successfully copy a
> file to the reserved device name 'aux' on the C:\
> drive:
>
> copy source \\.\C:\aux
>
>
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html