Multiple AV Software Detection Vulnerability

Topic

New Reply

The problem is the scanning engine, and since this summer (when the test was done) some programs may have updated their scanning engine, but I do not know if this problem is solved. It does not seem like that. Now there is a proof of concept published.

Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte
“The problem presents itself in the way various anti-virus software determines the type of file it is scanning. An attacker can exploit this vulnerability to pass malicious files passed the anti-virus software. This results in a false sense of security, and ultimately could lead to the execution of arbitrary code on the victim user’s machine.”

References:
http://archives.neohapsis.com/archives/ful…05-10/0504.html%5B/url%5D
http://www.securityfocus.com/bid/15189%5B/url%5D

Argus

Reply | Quote

Replies

SecurityFocus reports:[indent]

---

Solution:
Trend Micro PC-cillin 2006 is not affected by this issue. Please contact the vendor to obtain fixes.

---

[/indent]That’s strange, 2006 is still in beta. I’m sure they aren’t suggesting that lots of people run out and join a beta program…

Well, it’s a reminder to be careful with executables (whether EXE or BAT), and not rely on one’s virus scanner to ensure that they are safe.

And for extra protection, one can upload to VirusTotal (has a Flash animation) for a cross-check against other scanners. Obviously don’t upload anything highly confidential!

Update!! Two days later, PC-cillin 2006 is announced: North American site.

Reply | Quote