mailing list archives
Re: iDEFENSE Security Advisory 10.05.04b: Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability
From: bipin gautam <visitbipin () yahoo com>
Date: Tue, 5 Oct 2004 20:02:46 -0700 (PDT)
What a coincidence, This is what i was talking about
with few others in the list... a day
back!!! I myself saw this behavoir...... (i was a few
days short) hay guys you were telling me, "Antiviral
vendors aware about this problem, it was discussed in
past." so??? iDEFENSE took away my upcomming advisort.
3APA3A, do you work for iDEFENSE???????
ANYWAYS, this isn't a first time a advisory has
coinside with other........
--- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:
Dear bipin gautam,
Actually my super antivirus easily detects
eicar in nul.con. For
example, for c:\NUL.CON\eicar.com
Antiviral vendors aware about this problem, it was
discussed in past.
--Saturday, October 2, 2004, 9:57:52 PM, you wrote
to full-disclosure () lists netsys com:
OK. I just wrote new super antivirus. It's
databases currently consist
from only eicar.com signature (I'm very new
this business) but it
100% detects EICAR in the file with removed
Now, there is at least one antivirus to break
bg> good example 3APA3A to teach those software
bg> anyways... here is a archive,
bg> Extract the archive by using "DEFAULT ZIP
bg> windows xp. It will create a file "NULL.con" (O;
bg> within which there is a "eicar test string
bg> I don't think your super AV will detect the
bg> test string file" withing "NULL.con" folder???
bg> anyways... let me know HOW? when you figure out
bg> to delete "NULL.con" directory.
The problem specifically exists in attempts to scan
directories named as reserved MS-DOS devices.
Reserved MS-DOS device
names are a hold over from the original days of
Microsoft DOS. The
reserved MS-DOS device names represent devices such
as the first printer
port (LPT1) and the first serial communication port
reserved MS-DOS device names include AUX, CON, PRN,
COM1 and LPT1. If a
virus stores itself in a reserved device name it can
avoid detection by
Symantec Norton AntiVirus when the system is
scanned. Symantec Norton
AntiVirus will scan the files and folders containing
the virus and fail
to detect or report them. reserved device names can
be creating with
standard Windows utilities by specifying the full
Convention (UNC) path. The following command will
successfully copy a
file to the reserved device name 'aux' on the C:\
copy source \\.\C:\aux
Do you Yahoo!?
Declare Yourself - Register online to vote today!
Full-Disclosure - We believe in it.