Hi everyone, I have received many reports from people telling me if they were vulnerable or not. Here's what I have so far: Vulnerable: Virus Scan 4050 Defs: 4062 NAV 5.01.01c Defs: 012400 NAV Version lost NAV Version lost NAV2k 2000.00.02 Defs: 12400 Not Vulnerable: NAV 5.00.01c 012400 (Win 98) NAV 5.0 011500 (NT4) NAV 4.x (NT4) NAV 5.02.04 Defs: 012400 (Win95) VET 10.1.7.1 F-Secure AVW 4.05 F-PROT: 3.04.825 Defs: 12/19/99 AVP Undisclosed version What I'm inferring from this is that Virus Scan is vulnerable all the time, NAV once in a while and no one else is really affected. Why NAV is only affected sometimes may have been answered by a Edward Salm from IBM's Emergency Virus Response Service. He said, "The reason I mentioned the other eicar.com is I noticed NAV on my test machine wouldn't detect your version of eicar.com unless bloodhound was activated! When I turned bloodhound heuristics off (even though autoprotect was sill running), I could put your eicar.com anywhere on the drive!" Doesn't that give you a good pointer. Bloodhound seems pretty important. It's also possible that bloodhound ignores the default exclusions. I have a contact at SARC whom I'll ask about this and let you all know the response. Oh, and in case you're wondering, there was only a difference of one byte between our copies of EICAR.COM. Mine terminated in an <LF>, Ed's in a <CR><LF>. Here's an idea. The statement by McAfee that they can't go looking for XORed files because it's not feasible got me thinking. It seems to me that it's not feasible because it would take too long. People would be annoyed at 2 second waits for their files to open and whatnot. Now, I'm no AV expert and some even may work like this, but here's what I came up with. An AV checker could do a real hard look at a file, doing whatever it needed to be really thorough with the file (I understand that breaking XOR programmatically is pretty straight forward). It would then the store an MD5 hash for that file in an index. Whenever it needed to scan a file, it would just compare hashes (which is quick), and only re-scan the files if they had been changed. Special handling would probably be needed for data files as they get changed all the time, but overall it seems reasonable to me. I'd also think that AV scanners could do more advanced scans in the background with CPU idle cycles. There are a LOT of spare cycles on the average desktop. Thanks for the great responses everyone, Neil Bortnak InfoSec & Linux Consulting www.bortnak.com P.S. Avoid sending attachments to the list. You get tons of bounce mail and your message won't show up properly (at all) in the archive.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:13 PDT