Full Disclosure mailing list archives
RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile
From: "Matthew J. Brown" <matthew.brown () erogo com>
Date: Tue, 16 Sep 2003 17:57:29 -0700
Don Cheatham writes:
Vulnerability #2: The Virus scanner does not appear to work at all! [snip] An AV scanner should be able to detect a byte stream anywhere in the file, but Symantec is easily bypassed with this rudimentary trick.
This is not a valid test. Virus scanners search for viruses in ways that vary from virus to virus. They generally do NOT search for possible remnants of virus code scattered randomly within data files; that's a recipe for false positives all over the place. False positives are painful. Some viruses do indeed insert random (but valid) instructions in front of their unvarying section (instructions whether in machine code, or macro language, or whatever, depending on the environment in which the virus runs). This is a very rudimentary form of disguise. Others 'encrypt' their viral code (generally by some simple XOR scheme or the like) with a varying key, so that there is no easily detectable common code. Techniques for dealing with all these vary, but the one thing that's almost universal is that the detection parameters for each virus in the virus scanner encode how this particular virus is found in files. Thus, the search string for the EICAR test file quite probably explicitly encodes that this is only valid at the START of a file, to reduce the false positive likelihood. This does NOT mean that the virus scanner would be incapable of detecting a virus that did pad in front of itself with a random instruction stream; in that case, the flags for that virus string would be set differently. The only valid test of a virus scanner is its detection of real viruses -- which the EICAR file is not in the first place. The EICAR test file is not a virus but merely a functionality-tester, and all scanners that support it guarantee to report if they find THE PRECISE EICAR FILE and not otherwise. In other words, Symantec is performing exactly as specified and exactly as it should. -Matt, who once upon a time worked in the AV field _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile auto9115 (Sep 16)
- RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Bojan Zdrnja (Sep 16)
- Re: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile 3APA3A (Sep 17)
- Re: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Sym Security (Sep 17)
- <Possible follow-ups>
- RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Matthew J. Brown (Sep 16)
- RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile Jason Sloderbeck (Sep 17)