[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] McAfee VirusScan Enterprise 8.0i misidentifies EICAR test file
- To: Full-Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] McAfee VirusScan Enterprise 8.0i misidentifies EICAR test file
- From: TheGesus <thegesus@xxxxxxxxx>
- Date: Sat, 10 Jun 2006 17:23:28 -0400
PROBLEM
========
McAfee VirusScan Enterprise 8.0.0 (tested unpatched and with Patch 11)
using the 4781 DAT file (dated 06/09/2006, perhaps also previous) and
engine 4400 incorrectly identifies the "industry standard" EICAR test
file as Elspy.worm .
PROOF OF CONCEPT
=================
@echo off
:looper
REM Make file >128 bytes #################
REM ######################################
REM ######################################
REM ######################################
echo
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>testfile
goto looper
Cut & paste the above into Notepad (lines may wrap), save as a Windows
CMD file & run it.
VirusScan will report an instance of Elspy.worm once every three seconds (YMMV).
RISK FACTOR
===========
I dunno... you could probably make your "Enterprise AntiVirus
Administrator" look like a clueless idiot. That's always fun!
ADMISSION OF LAMENESS
=====================
Yes, this is lame. It is also stupid that an "Enterprise" antivirus
package cannot identify an EICAR test file properly. That's not MY
problem. Also, I did ZERO research on this so if someone else has
already published, mea culpa.
VENDOR NOTIFICATION
==================
Fuck them.
HOLLA
=====
Greetz to Dad & the Woolly Spook!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/