Bugtraq mailing list archives

Re: Bypass Virus Checking

From: vision () WHITEHATS COM (Max Vision)
Date: Mon, 31 Jan 2000 18:09:02 -0800


I can confirm that this default exclusion beavhior is present in Norton
Anti-Virus 2000 (2000.00.02, definitions date 1/24/2000)

Here is a fix that will cause NAV to stop excluding "\Recycled\*.*" as it
does by default:

begin 644 exclude.dat.gz
M'XL(")Y%EC@``V5X8VQU9&4N9&%T`(MQ]O=S\W37"XX,9A@<0()!2R_,TWZ@
MG8$,&%F`;G+Q=QYH=R`#1@FPFT(&VAW(`.PF9Q_'@78',@"[*<)G4*4G8!IW
MC7!V]=%SC7`=:*?``*,0HY9>0,!@2T_AGG[A_D$N@R>D@.$4X!_N&A3@%S)H
A'`6.N[SDC(%V!S(`EYDI214#[0YD`'03`+ZP7+GP!@``
`
end

Note that windows users who uses winzip can extract the above file by
creating "foo.uu" as a text file, pasting the above and saving/closing.
Then double click on the foo.uu file to decompress.  I have also left an
uncompressed copy available for download at
http://maxvision.net/nav/exclude.dat

To create the above "patch" I merely edited the
C:\program files\Navnt\exclude.dat file appropriately removing the entry.
I couldn't find a normal method of changing this exclusion in either the
program interface, the registry nor configuration files.

ANOTHER BUG: Note that this exclude.dat was originally the default shipped
with NAV 2000, and excludes potential trouble filenames such as excel.exe,
winword.exe, and powerpnt.exe.  That might not be the best idea, as when I
rename BackOrifice2000 to any of those filenames, it is completely
ignored.  *sigh*  (I just uploaded a version without those as well:
http://maxvision.net/nav/better.dat)

Here's another tip, not related to the above problem, but I highly
recommend that anyone using Norton AntiVirus turn up the heuristics to the
highest setting.  I have been using it in this mode for years and have
never seen a false positive, YMMV.  They call their technique
"Bloodhound".  It is not set to the highest level by default.

Over eight years ago I was writing virus code (for research, never
released in the wild) and I found that every single AV package could be
defeated with trivial tricks such as deleting checksum files, stripping
"immunization" headers/footers, or even xor!@#   I'm not sure defense has
come very far since then.  Be careful what you download and run!

Max Vision
http://whitehats.com/
http://maxvision.net/

Current thread:

Re: Bypass Virus Checking Russ Johnson (Jan 31)
- <Possible follow-ups>
- Re: Bypass Virus Checking Max Vision (Jan 31)
  - Re: Bypass Virus Checking Martin Bene (Feb 02)
- Re: Bypass Virus Checking Bacano (Feb 01)
- Re: Bypass Virus Checking Brad Griffin (Feb 01)
  - Re: Bypass Virus Checking Vladimir Dubrovin (Feb 02)
- Re: Bypass Virus Checking Brock Sides (Feb 01)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
  - Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
    - Re: Fwd: CERT Advisory CA-2000-02 fury (Feb 03)
    - Re: Fwd: CERT Advisory CA-2000-02 Ari Gordon-Schlosberg (Feb 03)
    - Re: Fwd: CERT Advisory CA-2000-02 Marc Slemko (Feb 03)

(Thread continues...)