Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Bypass Virus Checking
From: vision () WHITEHATS COM (Max Vision)
Date: Mon, 31 Jan 2000 18:09:02 -0800


I can confirm that this default exclusion beavhior is present in Norton
Anti-Virus 2000 (2000.00.02, definitions date 1/24/2000)

Here is a fix that will cause NAV to stop excluding "\Recycled\*.*" as it
does by default:

begin 644 exclude.dat.gz
M'XL(")Y%EC () ``V5X8VQU9&4N9&%T`(MQ]O=S\W37"XX,9A@<0()!2R_,TWZ@
MG8$,&%F`;G+Q=QYH=R`#1 () FPFT(&VAW(`.PF9Q_'@78',@"[*<)G4*4G8!IW
MC7!V]=%SC7`=:*?``*,0HY9>0,! () 2T_AGG[A_D$N@R>D ()  $4X!_N&A3 () %S)H
A'`6.N[SDC(%V!S(`EYDI214#[0YD`'03`+ZP7+GP! () ``
`
end

Note that windows users who uses winzip can extract the above file by
creating "foo.uu" as a text file, pasting the above and saving/closing.
Then double click on the foo.uu file to decompress.  I have also left an
uncompressed copy available for download at
http://maxvision.net/nav/exclude.dat

To create the above "patch" I merely edited the
C:\program files\Navnt\exclude.dat file appropriately removing the entry.
I couldn't find a normal method of changing this exclusion in either the
program interface, the registry nor configuration files.

ANOTHER BUG: Note that this exclude.dat was originally the default shipped
with NAV 2000, and excludes potential trouble filenames such as excel.exe,
winword.exe, and powerpnt.exe.  That might not be the best idea, as when I
rename BackOrifice2000 to any of those filenames, it is completely
ignored.  *sigh*  (I just uploaded a version without those as well:
http://maxvision.net/nav/better.dat)

Here's another tip, not related to the above problem, but I highly
recommend that anyone using Norton AntiVirus turn up the heuristics to the
highest setting.  I have been using it in this mode for years and have
never seen a false positive, YMMV.  They call their technique
"Bloodhound".  It is not set to the highest level by default.

Over eight years ago I was writing virus code (for research, never
released in the wild) and I found that every single AV package could be
defeated with trivial tricks such as deleting checksum files, stripping
"immunization" headers/footers, or even xor! () #   I'm not sure defense has
come very far since then.  Be careful what you download and run!

Max Vision
http://whitehats.com/
http://maxvision.net/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault