[22115] in bugtraq
Re: SECURITY.NNOV: special devices access in multiple archivers
daemon@ATHENA.MIT.EDU (Andreas Marx)
Fri Aug 3 18:17:08 2001
Message-Id: <5.1.0.14.2.20010803132037.00ae5c40@gega-it.de>
Date: Fri, 03 Aug 2001 13:43:06 +0200
To: "yahoo" <sai_ealcatraz@yahoo.com>, "3APA3A" <3APA3A@SECURITY.NNOV.RU>
From: Andreas Marx <amarx@gega-it.de>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <006b01c11bfe$504c37e0$1202a8c0@sai>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Hi!
>Its nice to hear that from U. I just want to know that what are the methods
>and tools used by ur team for the testing the Anti-Virus
>If u can send them to me, then i am very thankful to u
We, the Anti-Virus Test Team at the University of Magdeburg (
http://www.av-test.org ) did it the following way (I don't want to be too
exact, because of the script kiddies, sorry):
First we've created normal archives using a standard archivers (and normal
file names like "xul.exe"), but after the archive was created, we have
edited the files internally using a hex editor (change "x" to "n" - but be
careful, in ZIP files the fine name is included twice). You cannot add
names like "nul.exe" to an archive, of course, but you can change the name
inside of the archives easily, if the length of the name will still be the
same. You can do this for both "nul.exe" or for additional "../"'s for
paths like "../../test.exe". (Btw, we have used the Volkow Commander (DOS),
not a "real" hex editor. :) )
Second step was to test the anti-virus and anti-trojan programs. This was
relatively simple, because a few days ago we have just finished a bigger
comparison test for trojaner-info.de, a big German security site (
http://www.trojaner-info.de/test_07_2001.shtml ) with a special focus on
trojan horses, backdoors etc. Additional tests were done using a slightly
older test set of a review we did for the German PC-WELT magazine (
http://www.pcwelt.de/ratgeber/anwendungen/viren-report/16583/3.html ). We
can easily restore the original tested programs including updates, since
we're using Ghost images for all types of tests. (This includes both the
original test platforms, like "plain Win98", and a Ghost image where the av
program was already installed.)
The main test was relatively simply - simple scan the archives (for each of
the tests we created at least four test files) and look what will happen.
;-) After this, we have repeated the test to ensure that all results were
correct.
I hope, this helps to understand the test procedures better.
cheers,
Andreas Marx
NEW: Notes 4/5 + Exchange 5.5/2000 Test -> http://www.av-test.org
--
Andreas Marx <amarx@gega-it.de>, http://www.av-test.de
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Tel: 0391/6075466, Mobil: 0177/6133033, Fax: 0391/6075469
