Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile (fwd)
From: "Thor Larholm" <thor () pivx com>
Date: Tue, 16 Sep 2003 19:59:18 -0700

---------- Forwarded message ----------
From: <auto9115 () hushmail com>
Subject: [Full-Disclosure] Exploiting Multiple Flaws in Symantec 
Antivirus 2004 for Windows Mobile

Vulnerability #2: The Virus scanner does not appear to work at all!

Like any antivirus scanner, Symantec detects the Eicar test virus 
(eicar.exe or eicar.txt). At least, at first glance it appears to 
detect it. However,  you can easily defeat this by adding a few 
bytes of random text before or after the Eicar string.  For example, 
if you use a hex/text editor to add a few random bytes of text before 
and after the string, then Symantec won't detect it!  However, other 
AVs easily detect it, as they should. An AV scanner should be able 
to detect a byte stream anywhere in the file, but Symantec is easily 
bypassed with this rudimentary trick.

The discussion of when to detect the EICAR test virus has been long,
heated and on-going, but a few simple facts remain that we can quote
directly from EICAR themselves. From
http://www.eicar.org/anti_virus_test_file.htm we can read:

"Any anti-virus product that supports the EICAR test file should detect
it in any file providing that the file starts with the following 68
characters, and is exactly 68 bytes long"

"The first 68 characters is the known string. It may be optionally
appended by any combination of whitespace characters with the total file
length not exceeding 128 characters. The only whitespace characters
allowed are the space character, tab, LF, CR, CTRL-Z."

The test string has to be at the start of the file and you're only
allowed to append the above whitespace characters after the end of the
test string, up until a file length of 128 characters (60 whitespace
characters).

Since you added random bytes of text, which are not whitespace, at both
start and end, your file was no longer the EICAR test virus file.

We can argue from this day to the heat death of the sun about whether
the heurestic engine in the AV product should have caught these
variations and whether that engine might deliberately not check the
EICAR test virus for variations, but only EICAR and the specific AV
vendors can provide their views on why they choose to do as they did.



Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities


  By Date           By Thread  

Current thread:
  • RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile (fwd) Thor Larholm (Sep 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault