Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: McAfee VirusScan Enterprise 8.0.0 Misidentifies EICAR Test File
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 11 Jun 2006 12:46:25 +1200

TheGesus wrote:

REVISION 1.1
===========
Without "offensive" language.

Where's the fun in that??    8-)

PROBLEM
========

McAfee VirusScan Enterprise 8.0.0 (tested unpatched and with Patch 11)
using the 4781 DAT file (dated 06/09/2006, perhaps also previous) and
engine 4400 incorrectly identifies the "industry standard" EICAR test
file as Elspy.worm .

Actually, it doesn't.

I mean, I take your word for it that, in your testing, VirusScan
detected "Elspy.worm" as a result of running that .CMD file  (my own
tests with a  console version of VirusScan against the "testfile"
resulting from the following reported "Found the Elspy.worm virus !!!",
so I'm happy to accept the on-access scanner will do something
similar), but VirusScan is NOT detecting this in 'the "industry
standard" EICAR test file'.

PROOF OF CONCEPT
=================
@echo off
:looper
REM Make file >128 bytes #################
REM ######################################
REM ######################################
REM ######################################
echo X5O!P% () AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>testfile
goto looper

Cut & paste the above into Notepad (lines may wrap), save as a Windows
CMD file & run it.

You mention "CMD" so I'm assuming the versions(s) of Windows you tested
this on were NT-based rather than Win16 or Win9x.

VirusScan will report an instance of Elspy.worm once every three seconds (YMMV).

As I already said, I'll take your word for this detection, BUT your
claim is outright wrong.

Did you actually look at the "testfile" created by your naïve .CMD
file?

The first thing I noticed was that it was the wrong size.  I expected
it would be 69 bytes (more on why in a moment), but in fact it was even
shorter at 68 bytes.

68 bytes is the length of the bare test string.  The official EICAR
specification for the test file:

   http://www.eicar.org/anti_virus_test_file.htm

says that the file MUST start with the 68-byte string we see in your
.CMD file and that it "may be optionally appended by any combination of
whitespace characters with the total file length not exceeding 128
characters. The only whitespace characters allowed are the space
character, tab, LF, CR, CTRL-Z."

As the ECHO command necessarily emits a CRLF line-break, had your .CMD
file worked as expected, one would have seen "testfile" at 70 bytes
(the 68 of the EICAR test string, plus the two from ECHO's CRLF).

I said I was, however, expecting it to be 69 bytes.  Why?

Well, you did not escape the "%" character (the sixth in the EICAR test
string), and _within .BAT and .CMD file_ these have special meaning,
such that they are stripped unless protected by escaping ("%%"), and
possibly in some instances with quoting.

In actuality though, "testfile" ends up being 68 bytes.  A quick look
at "testfile" shows that the caret ("^"; the 20th character in the
EICAR test string) has also been dropped, reminding me that it is also
a special character (even at the bare commandline this time) and must
also be escaped/quoted if intended to be treated as a literal.

RISK FACTOR
===========
I dunno... you could probably make your "Enterprise AntiVirus
Administrator" look like a clueless idiot.  That's always fun!

If this makes him/her look any more of a clueless idiot than it makes
you look, then I guess, as they say, your organization has bigger
problems...

ADMISSION OF LAMENESS
=====================
Yes, this is lame.  It is also stupid that an "Enterprise" antivirus
package cannot identify an EICAR test file properly.  That's not MY
problem.  Also, I did ZERO research on this so if someone else has
already published, mea culpa.

Now, I'm not entirely disagreeing that it is strange that VirusScan
detects this weirdly mutant, "non-EICAR test file", but it certainly is
NOT mis-identifying 'the "industry standard" EICAR test file'.

As for your lameness in missing that the file you were generating was
NOT the file you were trying to generate -- I'll leave that up to
others to decide...

VENDOR NOTIFICATION
==================
None.

Pity -- you might have saved yourself the embarrassment of this public
disclosure of your lameness.

HOLLA
=====
Greetz to Dad & the Woolly Spook!

They must be sooooo proud of you...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]