Bugtraq mailing list archives
Re: Bypass Virus Checking
From: vision () WHITEHATS COM (Max Vision)
Date: Mon, 31 Jan 2000 18:09:02 -0800
I can confirm that this default exclusion beavhior is present in Norton Anti-Virus 2000 (2000.00.02, definitions date 1/24/2000) Here is a fix that will cause NAV to stop excluding "\Recycled\*.*" as it does by default: begin 644 exclude.dat.gz M'XL(")Y%EC@``V5X8VQU9&4N9&%T`(MQ]O=S\W37"XX,9A@<0()!2R_,TWZ@ MG8$,&%F`;G+Q=QYH=R`#1@FPFT(&VAW(`.PF9Q_'@78',@"[*<)G4*4G8!IW MC7!V]=%SC7`=:*?``*,0HY9>0,!@2T_AGG[A_D$N@R>D@.$4X!_N&A3@%S)H A'`6.N[SDC(%V!S(`EYDI214#[0YD`'03`+ZP7+GP!@`` ` end Note that windows users who uses winzip can extract the above file by creating "foo.uu" as a text file, pasting the above and saving/closing. Then double click on the foo.uu file to decompress. I have also left an uncompressed copy available for download at http://maxvision.net/nav/exclude.dat To create the above "patch" I merely edited the C:\program files\Navnt\exclude.dat file appropriately removing the entry. I couldn't find a normal method of changing this exclusion in either the program interface, the registry nor configuration files. ANOTHER BUG: Note that this exclude.dat was originally the default shipped with NAV 2000, and excludes potential trouble filenames such as excel.exe, winword.exe, and powerpnt.exe. That might not be the best idea, as when I rename BackOrifice2000 to any of those filenames, it is completely ignored. *sigh* (I just uploaded a version without those as well: http://maxvision.net/nav/better.dat) Here's another tip, not related to the above problem, but I highly recommend that anyone using Norton AntiVirus turn up the heuristics to the highest setting. I have been using it in this mode for years and have never seen a false positive, YMMV. They call their technique "Bloodhound". It is not set to the highest level by default. Over eight years ago I was writing virus code (for research, never released in the wild) and I found that every single AV package could be defeated with trivial tricks such as deleting checksum files, stripping "immunization" headers/footers, or even xor!@# I'm not sure defense has come very far since then. Be careful what you download and run! Max Vision http://whitehats.com/ http://maxvision.net/
Current thread:
- Re: Bypass Virus Checking Russ Johnson (Jan 31)
- <Possible follow-ups>
- Re: Bypass Virus Checking Max Vision (Jan 31)
- Re: Bypass Virus Checking Martin Bene (Feb 02)
- Re: Bypass Virus Checking Bacano (Feb 01)
- Re: Bypass Virus Checking Brad Griffin (Feb 01)
- Re: Bypass Virus Checking Vladimir Dubrovin (Feb 02)
- Re: Bypass Virus Checking Brock Sides (Feb 01)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Fwd: CERT Advisory CA-2000-02 fury (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Ari Gordon-Schlosberg (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Marc Slemko (Feb 03)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
(Thread continues...)