Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability

[zaibatsu]

iDEFENSE Security Advisory 10.18.04:

This vulnerability affects multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV.

II. DESCRIPTION

Remote exploitation of an exceptional condition error in multiple vendors’ anti-virus software allows attackers to bypass security protections by evading virus detection.

The problem specifically exists in the parsing of .zip archive headers. The .zip file format stores information about compressed files in two locations - a local header and a global header. The local header exists just before the compressed data of each file, and the global header exists at the end of the .zip archive. It is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. This has been confirmed with both WinZip and Microsoft Compressed Folders. An attacker can compress a malicious payload and evade detection by some anti-virus software by modifying the uncompressed size within the local and global headers to zero.


Just wondering if Avast is covered for this threat

Reference:


h**p://www.idefense.com/application/poi/display?id=153&type=vulnerabilities

[RejZoR]

Well from technical view, Home Edition doesn't have this vulnerability. At least not On-Access scanner which doesn't extract any archives. Scanning is done on default extraction (via WinZIP or any other utility).
ashQuick and On-Demand (only with Scan Archives checked option) are probably affected. Pro Edition is vulnerable only if you have archive scanning enabled for On-Access. Everything else is the same as for HE.

[Eddy]

This is already known to us and already handled in another thread. Please use the search function on this board prior to start a new (duplicate) thread.