|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Bypass Virus Checking
From: David Harley (harley
ICRF.ICNET.UK)Date: Fri Feb 04 2000 - 01:58:19 CST
- Next message: Barclay Osborn: "Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)"
- Previous message: Max Vision: "Re: Bypass Virus Checking"
- Next in thread: Eric D. Williams: "Re: Bypass Virus Checking"
- Maybe reply: David Harley: "Re: Bypass Virus Checking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> response. Oh, and in case you're wondering, there was only a difference
> of one byte between our copies of EICAR.COM. Mine terminated in an <LF>,
> Ed's in a <CR><LF>.
That can be significant. There've been quite a few differences in
implementation in detection of the EICAR test file over the years,
and it's been known for a product to fail precisely because of
the length of the file. Other anomalies have included a
surprising degree of pattern-matching fuzziness, and undue
flexibility about positioning. The spec. requires the EICAR
string to be right at the beginning of the file, but doesn't
specify whether anything can follow it. There was even an
instance a few years back of a scanner which alerted on an
informatory text file containing the EICAR string somewhere in
the middle.
Hopefully, all current scanners handle the EICAR string
'correctly'. But I wouldn't bet the family jewels on it.
You're right, by the way: there is anti-virus software
which only scans a file for known viruses if integrity
checking flags a change.
-- David Harley <D.Harley
- Next message: Barclay Osborn: "Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)"
- Previous message: Max Vision: "Re: Bypass Virus Checking"
- Next in thread: Eric D. Williams: "Re: Bypass Virus Checking"
- Maybe reply: David Harley: "Re: Bypass Virus Checking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]