Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Latest dist v5.2

From: Michael Pattrick <mpattrick () rhinovirus org>
Date: Thu, 21 Jan 2010 20:01:16 -0500
On Thu, Jan 21, 2010 at 3:56 PM, Ron <ron () skullsecurity net> wrote:

Another alternative, that Patrik mentioned to me, is to encode/encrypt the
.exe on our side then decrypt it in memory before uploading.

On one hand, it's sort of the best of both worlds. On the other hand,
evading antivirus has that malicious feeling to it..



It's probably the best temporary solution. Pulling psexec at a later
date may be perceived as 'phoning home'. When I first saw this thread,
encoding the offending file as a raw deflate stream was the first
thing that came to mind, but adding a zlib dependency is probably
overkill. XOR/ROL'ing the entire file and changing the extension is
probably the fastest short term solution.

However, that only fixes the A/V issue for users who don't run the
script. Even if we distribute it seperately, users with the offending
A/V will still get a virus alert when they try to download it. Getting
the A/V vendors to ignore this false positive is the only real
solution.

-Michael
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: