OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andreas Marx (amarxgega-it.de)
Date: Thu Aug 02 2001 - 04:11:44 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    we, the Anti-Virus Test Team at the University of Magdeburg, have looked at
    this issue about problematic filename like "AUX", "NUL" or ".." inside
    archives now on 39 security-related programs like anti-virus scanners
    (Norton, McAfee, CA, AntiVir, AVX, Kaspersky etc.) as well as anti-trojan
    programs (Ants, Anti-Trojan, Tauscan, etc.) To make it short: Most programs
    are not affected.

    The first test includes file names like "NUL.EXE", "AUX.EXE", "LPT1.EXE"
    and "CLOCK$.EXE" in archive files (please note, that "NUL" and "NUL.EXE"
    have exactly the same behaviour, we just used "EXE" to make sure a scanner
    will really try to check this file in the archive). Archive types tested:
    ZIP and ARJ.

    Result: Only *one* program *crashes* (it is a nearly unknown and not widely
    distributed anti-trojan scanner, vendor was notified about this issue) on
    both ARJ and ZIP archives, most other programs are still able to find the
    infected file (if they scan archives).

    The second test includes file names like "../TEST.EXE" up to
    "../../../../../TEST.EXE" in ZIP archives. No program drops the TEST.EXE
    file somewhere on drive C:. All scanners who found the original (not
    packed) file were still able to find the virus in the malformed archive.
    Therefore, there is no "scanner drops possible infected files" (Bat/WinRip
    issue) anymore - all vendors have fixed possible problems at least one year
    ago. (We have tested older and newer versions of the programs on this issuse.)

    Therefore, there is no risk of scanning such malformed archives using av
    programs. However, most current archivers (accoding to 3APA3A's report)
    still have a problem - and a lot other programs, too. We have verified this
    during out test if the archives are really malformed. ;-) - Some crashes on
    file like "NUL.EXE", other drops files from the ZIP archive to "somewhere"
    on the disc...

    cheers,
    Andreas

    btw, our newest anti-virus scanner test for both Lotus Notes 4/5 and MS
    Exchange 5.5/2000 Groupware is now available at http://www.av-test.org for
    download and as an online representation ("interactive" tables and bar plots). 

    -- 
Andreas Marx <amarxgega-it.de>, http://www.av-test.de
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469