Re: Bypass Virus Checking

From: Max Vision (visionat_private)
Date: Mon Jan 31 2000 - 18:09:02 PST

Next message: Thompson, Zach, CPG: "Re: MS IIS 5.0 Access Violation on handling URL String"

Previous message: Russ Johnson: "Re: Bypass Virus Checking"
Maybe in reply to: Neil Bortnak: "Bypass Virus Checking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can confirm that this default exclusion beavhior is present in Norton
Anti-Virus 2000 (2000.00.02, definitions date 1/24/2000)

Here is a fix that will cause NAV to stop excluding "\Recycled\*.*" as it
does by default:

begin 644 exclude.dat.gz
M'XL(")Y%EC@``V5X8VQU9&4N9&%T`(MQ]O=S\W37"XX,9A@<0()!2R_,TWZ@
MG8$,&%F`;G+Q=QYH=R`#1@FPFT(&VAW(`.PF9Q_'@78',@"[*<)G4*4G8!IW
MC7!V]=%SC7`=:*?``*,0HY9>0,!@2T_AGG[A_D$N@R>D@.$4X!_N&A3@%S)H
A'`6.N[SDC(%V!S(`EYDI214#[0YD`'03`+ZP7+GP!@``
`
end

Note that windows users who uses winzip can extract the above file by
creating "foo.uu" as a text file, pasting the above and saving/closing.
Then double click on the foo.uu file to decompress.  I have also left an
uncompressed copy available for download at
http://maxvision.net/nav/exclude.dat

To create the above "patch" I merely edited the
C:\program files\Navnt\exclude.dat file appropriately removing the entry.
I couldn't find a normal method of changing this exclusion in either the
program interface, the registry nor configuration files.

ANOTHER BUG: Note that this exclude.dat was originally the default shipped
with NAV 2000, and excludes potential trouble filenames such as excel.exe,
winword.exe, and powerpnt.exe.  That might not be the best idea, as when I
rename BackOrifice2000 to any of those filenames, it is completely
ignored.  *sigh*  (I just uploaded a version without those as well:
http://maxvision.net/nav/better.dat)

Here's another tip, not related to the above problem, but I highly
recommend that anyone using Norton AntiVirus turn up the heuristics to the
highest setting.  I have been using it in this mode for years and have
never seen a false positive, YMMV.  They call their technique
"Bloodhound".  It is not set to the highest level by default.

Over eight years ago I was writing virus code (for research, never
released in the wild) and I found that every single AV package could be
defeated with trivial tricks such as deleting checksum files, stripping
"immunization" headers/footers, or even xor!@#   I'm not sure defense has
come very far since then.  Be careful what you download and run!

Max Vision
http://whitehats.com/
http://maxvision.net/

Next message: Thompson, Zach, CPG: "Re: MS IIS 5.0 Access Violation on handling URL String"
Previous message: Russ Johnson: "Re: Bypass Virus Checking"
Maybe in reply to: Neil Bortnak: "Bypass Virus Checking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:43 PDT