RE: Exploiting Multiple Flaws in Symantec Antivirus 2004 for Windows Mobile (fwd)
---------- Forwarded message ----------
> From: <auto9115@xxxxxxxxxxxx>
> Subject: [Full-Disclosure] Exploiting Multiple Flaws in Symantec 
> Antivirus 2004 for Windows Mobile
> 
> Vulnerability #2: The Virus scanner does not appear to work at all!
> 
> Like any antivirus scanner, Symantec detects the Eicar test virus 
> (eicar.exe or eicar.txt). At least, at first glance it appears to 
> detect it. However,  you can easily defeat this by adding a few 
> bytes of random text before or after the Eicar string.  For example, 
> if you use a hex/text editor to add a few random bytes of text before 
> and after the string, then Symantec won't detect it!  However, other 
> AVs easily detect it, as they should. An AV scanner should be able 
> to detect a byte stream anywhere in the file, but Symantec is easily 
> bypassed with this rudimentary trick.
The discussion of when to detect the EICAR test virus has been long,
heated and on-going, but a few simple facts remain that we can quote
directly from EICAR themselves. From
http://www.eicar.org/anti_virus_test_file.htm we can read:
"Any anti-virus product that supports the EICAR test file should detect
it in any file providing that the file starts with the following 68
characters, and is exactly 68 bytes long"
"The first 68 characters is the known string. It may be optionally
appended by any combination of whitespace characters with the total file
length not exceeding 128 characters. The only whitespace characters
allowed are the space character, tab, LF, CR, CTRL-Z."
The test string has to be at the start of the file and you're only
allowed to append the above whitespace characters after the end of the
test string, up until a file length of 128 characters (60 whitespace
characters).
Since you added random bytes of text, which are not whitespace, at both
start and end, your file was no longer the EICAR test virus file.
We can argue from this day to the heat death of the sun about whether
the heurestic engine in the AV product should have caught these
variations and whether that engine might deliberately not check the
EICAR test virus for variations, but only EICAR and the specific AV
vendors can provide their views on why they choose to do as they did.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
http://www.pivx.com/larholm/unpatched - Unpatched IE vulnerabilities