Full Disclosure mailing list archives
Re: Re: Multiple Antivirus Scanners DoS attack.
From: bipin gautam <visitbipin () yahoo com>
Date: Tue, 15 Jun 2004 04:39:37 -0700 (PDT)
--- Shashank Rai <shash () etisalat-nis ae> wrote:
On a Fedora Core-2 box..... Virus scanning report - 15 June 2004 @ 7:50 F-PROT ANTIVIRUS Program version: 4.4.2 Engine version: 3.14.11 VIRUS SIGNATURE FILES SIGN.DEF created 12 June 2004 SIGN2.DEF created 12 June 2004 MACRO.DEF created 7 June 2004 Search: /home/shash/tmp/SERVER_dwn.zip Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->1/~.cab->0.cab->cab.com
Infection: EICAR_Test_File
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->1/~.zip->bipin.zip
Infection: EICAR_Test_File
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->2/~.cab->0.cab->cab.com
Infection: EICAR_Test_File
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->2/~.zip->bipin.zip
Infection: EICAR_Test_File
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->3/~.cab->0.cab->cab.com
Infection: EICAR_Test_File
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->3/~.zip->bipin.zip
Infection: EICAR_Test_File
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->4/~.cab->0.cab->cab.com
Infection: EICAR_Test_File
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->4/~.zip->bipin.zip
Infection: EICAR_Test_File
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->5/~.cab->0.cab->cab.com
Infection: EICAR_Test_File
/home/shash/tmp/SERVER_dwn.zip->BlackHole.zip->5/~.zip->bipin.zip
Infection: EICAR_Test_File Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 657 Infected: 10 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 1:13 f-prot vulnerable?????
Moreover, If you download such archives from an internet loaction, or 'copy/paste' such files from a distination. Those Vulnerable "Antivirus Softwares" with their auto-protect engines active, may also trigger a DoS. There have been reports in some discussion fourms, *Panda Antivirus *Norton AV Corporate Ed. (version 7.60.926) *MacAfee uvscan scan for Linux (4.3.20) *DrWeb (http://www.drweb.ru/) *AVG v7.0.251 *ClamAV version 0.07, 0.72 <--- please confirm this! *eTrust InoculateIT version 6.0 Are vulnerable. *F-Prot 4.4.2 for Linux did took considerable amount of time [avg: 90 seconds] while scanning the file, there have been conflicting report... whether or not, F-Prot is vulnerable. But a VA software that takes so long to scan just a 15 kb file...... is a strange behavior. I'll personally call, it vulnerable... cauz a DoS could likely be triggered. You can get updates of this advisory at, http://www.geocities.com/visitbipin/Multiple_AV_DoS.html Regards, Bipin Gautam http://www.geocities.com/visitbipin/ __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Multiple Antivirus Scanners DoS attack. Shashank Rai (Jun 14)
- Re: Re: Multiple Antivirus Scanners DoS attack. bipin gautam (Jun 15)
- <Possible follow-ups>
- Re: Multiple Antivirus Scanners DoS attack. Luca Gibelli (Jun 16)