OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Sexton (dave.sextonsapphire.net)
Date: Tue Feb 05 2002 - 03:14:06 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Err.. I beg to differ:

    ----------------

    SWEEP virus detection utility
    Version 3.54, Monday, February 04, 2002
    Includes detection for 71830 viruses, trojans and worms
    Copyright © 1989, 2001, Sophos Plc, www.sophos.com

    Info: Immediate job started by xxxx at 8:57 on Tuesday, February 05, 2002

    Items to be swept:
            "All Master Boot Sectors"
            Drive C: Sector 0
            c:\temp\*.* and all subfolders

    Scanning options:
            Quick mode,
            excluding off-line files

    Sweeping:
            Disk 80 Cylinder 0 Head 0 Sector 1
            Drive C: Sector 0
            
    C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12
    34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1
    234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\1
    234567890...\EICAR.TXT
    Virus: 'EICAR-AV-Test' detected in
    C:\TEMP\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\12345
    6~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\
    123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\EICAR.TXT
            No action taken

            
    C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12
    34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1
    234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\1
    234567890...\EICAR2.COM
    Virus: 'EICAR-AV-Test' detected in
    C:\TEMP\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\12345
    6~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\
    123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\EICAR2.COM
            No action taken

            
    C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12
    34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1
    234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\t
    emp\1234567890...\EICAR.TXT
    Virus: 'EICAR-AV-Test' detected in
    C:\TEMP\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\12345
    6~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\
    123456~1\123456~1\123456~1\123456~1\temp\123456~1\123456~1\123456~1\123456~1
    \123456~1...\EICAR.TXT
            No action taken

            
    C:\TEMP\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\12
    34567890\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890\1
    234567890\1234567890\1234567890\1234567890\1234567890\1234567890\123456789\t
    emp\1234567890...\EICAR3.COM
    Virus: 'EICAR-AV-Test' detected in
    C:\TEMP\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\12345
    6~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\123456~1\
    123456~1\123456~1\123456~1\123456~1\temp\123456~1\123456~1\123456~1\123456~1
    \123456~1...\EICAR3.COM
            No action taken

    Info: Immediate job completed at 8:57 on Tuesday, February 05, 2002
            11 items swept, 4 viruses detected, 0 errors

    -------

            Sophos seems to truncate the paths for the sake of the report, but
    they are long (the second one exceeding 256 characters even when using the
    '~' notation.
            Those eicar files are still there from when I originally tested
    (with 3.53 [January's update]). Obviously explorer was unable to delete
    them.

            The platform tested was Win2000 SP2 (before and after the recent
    security roll-up patch). I have not tried NT4.

            Regards,

    Dave

    > -----Original Message-----
    > From: Frank Heyne [SMTP:fhrcs.urz.tu-dresden.de]
    > Sent: Monday, February 04, 2002 7:15 PM
    > To: bugtraqsecurityfocus.com; hans.somershccnet.nl
    > Subject: Re: Long path exploit on NTFS
    >
    > On 4 Feb 2002, at 10:26, Hans Somers wrote:
    >
    > > Not Vunerable:
    > > --------------
    > > *1
    > > Sophos Anti-Virus v3.53
    >
    > This is not true.
    >
    > According to my own tests, Sophos Anti-Virus v3.53
    > is unable to find virii in deeply nested NTFS subdirectories on NT 4.
    >
    >
    >
    > Frank Heyne
    >

    -----------------------------------------------
    Any opinions expressed in this message are those of the individual and not necessarily the company. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this message in error and that any use is strictly prohibited.

    Sapphire Technologies Ltd
    http://www.sapphire.net