Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Bypass Virus Checking
From: harley () ICRF ICNET UK (David Harley)
Date: Fri, 4 Feb 2000 07:58:19 +0000

response. Oh, and in case you're wondering, there was only a difference
of one byte between our copies of EICAR.COM. Mine terminated in an <LF>,
Ed's in a <CR><LF>.

That can be significant. There've been quite a few differences in
implementation in detection of the EICAR test file over the years,
and it's been known for a product to fail precisely because of
the length of the file. Other anomalies have included a
surprising degree of pattern-matching fuzziness, and undue
flexibility about positioning. The spec. requires the EICAR
string to be right at the beginning of the file, but doesn't
specify whether anything can follow it. There was even an
instance a few years back of a scanner which alerted on an
informatory text file containing the EICAR string somewhere in
the middle.

Hopefully, all current scanners handle the EICAR string
'correctly'. But I wouldn't bet the family jewels on it.

You're right, by the way: there is anti-virus software
which only scans a file for known viruses if integrity
checking flags a change.

David Harley <D.Harley () icrf icnet uk>
<harley () sherpasoft org uk> | <D_Harley () iname com>
.sig under re-construction.....

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]