[13667] in bugtraq
Re: Bypass Virus Checking
daemon@ATHENA.MIT.EDU (Martin Bene)
Wed Feb 2 16:31:35 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.3.32.20000202094501.03c56948@mail.sime.com>
Date: Wed, 2 Feb 2000 09:45:01 +0100
Reply-To: Martin Bene <mb@SIME.COM>
From: Martin Bene <mb@SIME.COM>
X-To: Max Vision <vision@WHITEHATS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Enip.BSO.23.0001311733190.24774-100000@www.whitehats.com>
-----BEGIN PGP SIGNED MESSAGE-----
At 18:09 31.01.00 -0800, Max Vision wrote:
>ANOTHER BUG: Note that this exclude.dat was originally the default
shipped
>with NAV 2000, and excludes potential trouble filenames such as
excel.exe,
>winword.exe, and powerpnt.exe. That might not be the best idea, as
when I
>rename BackOrifice2000 to any of those filenames, it is completely
>ignored. *sigh* (I just uploaded a version without those as well:
>http://maxvision.net/nav/better.dat)
Strange that Symantec managed to make their product so much worse
during upgrades; I'm running Engine 5.00.01b, Viruse files 14.01.2000;
results are significantly better:
1) There is no exclusion for \RECYCLED directory, neither hidden nor
in the GUI. Exploit does not work, virus is detected.
2) The Excludes for EXCEL.EXE, WINWORD.EXE, POWERPNT.EXE and
MSACCESS.EXE only turn off the check for writes to program files.
Renaming the EICON.COM file from the exploit to excel.exe does not
prevent NAV from finding it.
3) All Exclusions are visible using the GUI Interface.
Martin Bene
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i
iQCVAwUBOJfgfR+NBGYktXFhAQHBIAQAiUJ74XIgYpO+EpJbZwNV4EZsx4MZIMmi
2UMB9IIgp+nrkq1zzQUkCY6bs4LNRdb6Qz8/O4zb/ZJzdKsv1Uk53TG481xfTA0F
Z9jc/kgBhNEa6iTFoGsh3nstYazHddAC/Abl3Ch0/b6J99wghBhOC5EkgkJ1/epU
KWjHlHCDUUU=
=nGN2
-----END PGP SIGNATURE-----
"you have moved your mouse, please reboot to make this change take effect"
--------------------------------------------------
Martin Bene vox: +43-316-813824
simon media fax: +43-316-813824-6
Andreas-Hofer-Platz 9 e-mail: mb@sime.com
8010 Graz, Austria
--------------------------------------------------
finger mb@mail.sime.com for PGP public key
