Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: [Full-disclosure] Re: Multiple AV Vendor Incorrect CRC32BypassVulnerability.
From: bipin gautam (visitbipinyahoo.com)
Date: Sat Mar 12 2005 - 01:57:40 CST
> While it might be a vulnerability if the file is
> extracted which it hasto be to be executed the
> desktop scanner will detect it at that time.
> Multiple layers of defense is your best option
> As far as number 3 Antigen detects Eicar.
YAP, i never reported Antigen vulnerable to the 3'rd
Though, In Local file header if you modify "general
purpose bit flag" 7th & 8'th byte of a zip archive
with \x2f Antigen is also seem to be vulnerable! While
most unzip utilities are transperently able to extract
SUCH* archive without any problem! Though,currently my
only source of verifying this is via
www.virustotal.com and some others. [Go, TRY IT
> I can see if there is anything
> else that you do not
> think Antigen is doing correctly.
In the 'local file header" & "data descriptor" if you
change the compressed size and uncompressed size to
ZERO[iDEFENSE] or greater than the actual file size or
less than the actual file size still there are many AV
that can't scan the file properly.
Moreover there are unzip utilities that goes to a loop
if the filesize is changed to ffffffff ! Lets hope, AV
don't have such faulty code!
Just run the file through www.virustotal.com and
you'll see. (I know, they aren't using up-to-date scan
Do you Yahoo!?
Yahoo! Small Business - Try our new resources site!
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://www.secunia.com/