mailing list archives
Viruses can evade Sophos Anti-Virus
From: "xerces8" <xerces8 () butn net>
Date: Mon, 09 May 2005 16:04:48 +0200
Product : Sophos Anti-Virus v3.93 (Client)
(SAV from now on)
OS : Microsoft Windows
Vendor informed ? : CCed on this post
What : Infected files can evade detection and be executed
- install SAV in client mode.
- download an infected file (http://www.eicar.org/download/eicar.com from
http://www.eicar.org/anti_virus_test_file.htm is a good test example) to
- on next boot/login, double click the infected file on the desktop
Result : infected file is executed with no intervention from SAV
By default SAV does not check files when written, only when read or executed.
Therefore the download does not trigger any warnings.
Note that some download software does not simply save the downloaded file, but
saves it to a temporary location and then copies it to the final destination,
which involves file reading and triggers SAV warning (IE 6.x). Some others,
like wget, try to change the file time and also trigger a warning. FireFox 1.0.3
does no trigger any warning.
On boot/login, SAV is not immediatelly running (can be seen also by the color of the
systray indicator icon , "InterCheck Monitor"). It takes several seconds, depending
on system configuration, until SAV is fully functional. During that time there is no
virus protection. An user can start the file he downloaded in the previous session.
Note : the used example file eicar.com does not work directly in modern windows versions.
For testing I recommend using a short script :
command /c eicar
saved as runit.bat on the Desktop.
Affected software : Sophos Antivirus v3.93 (client mode) on MS Windows Server 2003
Probably affected software :
- Sophos Anti-Virus v3.93 (client mode) on other Windows versions
- other antivirus software, that might behave similarly (not tested by message author)
David Balazic, computer user
- Viruses can evade Sophos Anti-Virus xerces8 (May 09)