Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: rloschmann on June 12, 2004, 08:25:11 AM
-
This is a repost because this bug is a vital security issue !!!
initial thread here : http://forum.avast.com/index.php?board=2;action=display;threadid=5090 (http://forum.avast.com/index.php?board=2;action=display;threadid=5090)
Well it is definitly a HUGE security hole in avast on-access scanner !!! :o
If the directory or the file itself has an accentuated caracter (ex: éicar.com instead of eicar.com) the on-access scanner doesn't identify it as a virus.
The conclusion is : avast users will not be protected at all for any virus containing an accentuated caracter or a regular named virus in a path containing an accentuated caracter !!!
I hope virus programmers will not read this post until you alwil guys fix this !! :-X
I'm glad i never had any virus named that way !! ::)
I think i trully deserve a medal for that one ;)
-
I tried renaming my EICAR.com into éicar.com and Avast detects it just fine.
No problems with it anyhow.
-
Well i can detect it with explorer scanner and on-demand scanner but the on-access scanner fails. Did you try the on-access scanner ? ie double click éicar.com.
-
Yup. In fact I only used the on-access scanner.
Double-clicking results a virus warning stating %docpath%\ICAR~1.COM is infected with EICAR Test-NOT virus!!.
%docpath% = The document path for EICAR.
-
Here are some screenshots:
1. The filename I used for Avast. (I have also tried your filename with same results.)
-
2. Attempt on accessing EICAR via the command line.
-
3. When the command was issued on the command line, this popped up.
-
Well maybe the problem is only with french version of windows and / or avast... ???
-
First of all, LeDoc please try to keep it down a little bit. The title "HUGE security hole" is IMHO inadequate for this issue.
avast's on-access scanner will detect viruses in files with any filenames because it is fully in Unicode. Version 4.0 used to be in ANSI and could've suffered from similar problems, but with the addition of support for East-Asian variants of avast in 4.1 it was not possible any more to ignore those strange-looking filenames...
To analyse the problem, check the Last Scanned File entry for the Standard Shield. Does it show the file?
Also executing a MS-DOS program such as eicar.com is not completely representative -- that's because Windows emulates DOS-mode for the program and doesn't really use non-ANSI characters in that case (because MS-DOS mode is of course not Unicode compliant). A better test would be to e.g. put the .COM extension to the list of extensions to be scanned on-open and just opening the file in Notepad, or getting an EXE virus for Win32...
Hope this helps.
Vlk
-
Well after some tests,even best ITW antivirus named NOD32 couldn't handle the EICAR.COM file renamed to filenames with accentuated characters inside filename. It has detected them,but it was unable to do anything with them. But if AV with all VB100% tests do this,than avast! can also. No worries then :P
-
Well after some tests,even best ITW antivirus named NOD32 couldn't handle the EICAR.COM file renamed to filenames with accentuated characters inside filename. It has detected them,but it was unable to do anything with them. But if AV with all VB100% tests do this,than avast! can also. No worries then :P
Where do you find a Eicar with a wierd filename? Or whats the way to rename one?
NOD32 isn't a good program to use to test, it has almost no packer support, sketchy archival support, and misses even the most common bugs with simple renaming tricks. If you want benchmarks for overall detection, use F-Secure or AVK.
Now where can I find these special Eicar files you guys are testing with?
-
Oh ya, if you want to have some EICAR fun, and show how crappy the techniques are some AV's use, read this:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntbugtraq&F=P&S=&P=1734
Its sad, merely changed "Standard Eicar Test File" to "Standing Eicar Text File" will fool like half the AV's out there. Thats not a vote of confidence, is it? Most likely, the saps just added the text string into their definitions and didn't bother to do anything else.
-
First of all, LeDoc please try to keep it down a little bit. The title "HUGE security hole" is IMHO inadequate for this issue.
avast's on-access scanner will detect viruses in files with any filenames because it is fully in Unicode. Version 4.0 used to be in ANSI and could've suffered from similar problems, but with the addition of support for East-Asian variants of avast in 4.1 it was not possible any more to ignore those strange-looking filenames...
To analyse the problem, check the Last Scanned File entry for the Standard Shield. Does it show the file?
Also executing a MS-DOS program such as eicar.com is not completely representative -- that's because Windows emulates DOS-mode for the program and doesn't really use non-ANSI characters in that case (because MS-DOS mode is of course not Unicode compliant). A better test would be to e.g. put the .COM extension to the list of extensions to be scanned on-open and just opening the file in Notepad, or getting an EXE virus for Win32...
Hope this helps.
Vlk
Before putting the extension COM in the list, Notepad was able to open the file no problem. (Even with a accentuated character in place.) It seems that Avast by default does not scan COM files on open. (There isn't any option to select all files for open.) After putting COM in place, Avast denied access for EICAR which has a accentuated character in place.
I have also tried a Win32 exe and it seems that Avast has no problem scanning accentuated character in filenames...
Weird? :-\
-
Not weird at all -- on contrary, this is in perfect harmony with what I've said...
BTW you can scan ALL files on open of course -- just put asterisk (I mean *) to the box...
-
Never thought of that. Thanks for the trick. ;)
Kobra, it seems that Avast didn't detect STANDING EICAR :P
But I suppose that there is no reason for Avast to add heuristics for test files?
-
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntbugtraq&F=P&S=&P=1734
This article is one of the TOP 10 NONSENSES I've ever seen on the Internet.
But I don't want to spend my time describing what exactly is wrong with it (unless someone asks me to do so).
:)
-
Never thought of that. Thanks for the trick. ;)
Kobra, it seems that Avast didn't detect STANDING EICAR :P
But I suppose that there is no reason for Avast to add heuristics for test files?
Actually there is.. Its an established testing standard by the Institute. Dr.Web AV was tricky, it was just looking for "EICAR" in the file.. Modify it all you want, but if you remove EICAR, then its not detected whatsoever. That pretty lame if you ask me.
I have 20+ variants of Eicar now i'm working worth to see if I can spot any interesting trends with AV's, but as the guy in that article says, generally they either use simple MD5 comparatives and definitions in a "All or Nothing" situation. If thats the case, then i'd have to say its painfully obvious how easy it is to bypass an AV. I'm going to have to install AVK, with its KAV+RAV engines, and double-level heuristical comparative engines, and see how that does. Of course, this isn't totally scientific obviously, but I think it might be useful in determining which AV's are easiest to "Sneak one past".
I'd prefer to work with real virus samples though, which is what I usually work with. But this Eicar stuff seems interesting, at least for my curiosity, but i'm not sure the tests would mean anything in the end anyway. Still, something to do over the weekend.. LOL!
Discuss.
-
Much useful if you do real samples and post the results ;)
-
Of course, this isn't totally scientific obviously, but I think it might be useful in determining which AV's are easiest to "Sneak one past".
Wrong wrong wrong. Geez...
It's just not like that. The eicar file is a STRICTLY defined set of 68*8=544 bits that make a UNIQUE signature that should SOLELY be identified as EICAR. Period. Furthermore, the signature has some additional limitations. For example, it must be located on the very beginning of the file, and must not be followed by anything other than no more than 128 whitespaces. Breaking of ANY of these rules MUST, following the eicar's definition, imply the file not be detected.
For more info, read the oficial eicar spec: http://www.eicar.org/anti_virus_test_file.htm
This means the following: if you have 20+ variants of eicar, most probably only minority of them is real (i.e. is compliant to the specification).
Vlk
-
I see, so basically, any real modification of the file beyond say the character length, would invalidate it?
Anyway, so far, only Norman AV was able to pick up every possible way I changed the file within reasonable limitations.. I even changed it some funny variations:
SACKO-NUTZSACK-ANTINUTZ-TEST-FILE and other variations, and Normal *STILL* picked it up. Then I turned off norman, and used every possible WIERD extension and naming definition I could think of, things like "MADONNA).ABC and other crap, and it still picked those up immediately upon entry to the directory.
Honestly, I don't have Avast installed on this PC so I cannot check how it would handle those yet. But I don't think 'Standing' in place of 'Standard' shouldn't me missed, should it? I don't know much about the inner workings of AV softwares (yet), but it seems to me changing a few letters shouldn't negate the detection? Heuristics?
-
First of all, LeDoc please try to keep it down a little bit. The title "HUGE security hole" is IMHO inadequate for this issue.
Sorry vlk, but i had a big shock finding out that avast didn't detect the eicar.com if it was placed in a path containing accents :
-> c:\test\eicar.com (this one is detected)
-> c:\tést\eicar.com (this one is not detected)
For the two tests i have only renamed the "test" directory, the eicar.com file is never modified. In the attached screen capture you can see that the last tested is the "tést" directory but the last infected is the "test" directory.
avast's on-access scanner will detect viruses in files with any filenames because it is fully in Unicode. Version 4.0 used to be in ANSI and could've suffered from similar problems, but with the addition of support for East-Asian variants of avast in 4.1 it was not possible any more to ignore those strange-looking filenames...
Hope you're right. I'll let you now with the next virus i will receive. A Netsky will come soon in my e-mail. I will copy it to the "tést" directory to see if the on-access scanner could detect it. If you don't read me for a while maybe i am reinstalling windows...
To analyse the problem, check the Last Scanned File entry for the Standard Shield. Does it show the file?
Yes positive ! it is shown in the last scanned file but accentuated caracters in the path are not displayed correctly.
Also executing a MS-DOS program such as eicar.com is not completely representative -- that's because Windows emulates DOS-mode for the program and doesn't really use non-ANSI characters in that case (because MS-DOS mode is of course not Unicode compliant). A better test would be to e.g. put the .COM extension to the list of extensions to be scanned on-open and just opening the file in Notepad, or getting an EXE virus for Win32...
Eicar.com is never detected when i open it with notepad and set extension on open to .COM...
-
Tried this also...
It seems that Avast supports Unicode scanning as Vlk pointed out.
-
Here are some screenshots:
1. The filename I used for Avast. (I have also tried your filename with same results.)
Well i can see in your screen capture that the file name is not the one i use (you have chinese or else caracters). I don't think that your tests mimics my tests.
Is someone using french avast and windows could do the test for me ? Thank you.
-
Maybe it's French Windows?
I have English Windows so I am not sure.
-
Can you post the equivalent screen capture i posted (the last file scanned by the on-access scanner).
Thanx !!
-
Here you go...
-
this is very strange... On your screen you have non capital caracters and accents displayed correctly. On my french version, wich is supposed to support accents, i have capital letters and accents not displayed.
Alwil team, can someone please try to sort these strange things out ? Do i have to install english version to get french caracters ???
Anyway, softwareguy, thanx a lot for your help. I really appreciate :D
-
You are welcome Le Doc.
For the capital chars part, do you have them all caps or is Avast displaying it incorrectly?
-
Hi,
On my Windows XP Home SP1 French (and Avast! 4.1.412 French), both paths (i.e. C:\test\eicar.com and C:\tést\eicar.com) are detected as EICAR virus, on access and on context menu scan. Furthermore, paths are displayed correctly in last files scanned/infected fileds in the standard shield panel.
-
Same here - even on multiple machines. Sorry but I'm not able to simulate your problem. Are you using any of the last few avast versions? (I suppose so...).
-
I found out something really strange !!
I copied the "tést" directory and "eicar.com" file to a NTFS partition and now the on-access scanner detects it. It seems that the problem comes from the FAT32 partitions. I tested all my FAT32 partitions and the eicar was never detected on them (if accents used). It is detected on all NTFS partitions (with or without accents) ???
vlk, i have windows 2000 SP4 fully patched (french), avast 4.1.412 (french), VPS 0424-3.
-
Your FAT32 partitions aren't using 8.3 DOS Filenames, right? :-\
Hmmm....
-
Nop, i can see complete full names.
-
Also executing a MS-DOS program such as eicar.com is not completely representative -- that's because Windows emulates DOS-mode for the program and doesn't really use non-ANSI characters in that case (because MS-DOS mode is of course not Unicode compliant).
This will happen for sure if you install NAV before in your system.
I can assure that in a DOS window under XP eicar.com won't be caught if you installed NAV before in your system. NAV deny access to other drivers to scan the file.
I suffer a lot because of this. Thanks Kubecj and Vlk I'm here.
I'm very 'happy' to see my first post is still alive. I'm becoming old in this forum :-\
-
No it is not a NAV problem. I received my new 160 GB recently and did a clean new install with avast as the only antivirus software. The others i have are spywareblaster, spywareguard, and kerio PF.
-
No it is not a NAV problem. I received my new 160 GB recently and did a clean new install with avast as the only antivirus software. The others i have are spywareblaster, spywareguard, and kerio PF.
Oops... sorry :-\
-
OK it's a minor bug. We've fixed it now.
It's only visible if the following conditions are met:
1. you are executing a MS-DOS based program
2. the program resides on a FAT volume (not NTFS)
3. the path name of the program contains at least one non-English character (more precisely, a character thas is above 128 in the ASCII table).
Thanks for pointing this out, Le Doc. Given the 3 points above I wouldn't call this too serious but yeah, it was a bug.
Vlk
-
Your help is welcomed technical, you don't have to be sorry for a wrong clue. ;)
-
OK it's a minor bug. We've fixed it now.
It's only visible if the following conditions are met:
1. you are executing a MS-DOS based program
2. the program resides on a FAT volume (not NTFS)
3. the path name of the program contains at least one non-English character (more precisely, a character thas is above 128 in the ASCII table).
Thanks for pointing this out, Le Doc. Given the 3 points above I wouldn't call this too serious but yeah, it was a bug.
Vlk
Foooo, i'm so happy i discovered that one !! Not an easy one to discover eh, 3 conditions to meet ;)
So i think i really deserve a medal (at least i deserve my pseudo) ;D
So if i understand well, the security issue is only for DOS viruses getting on FAT partition. Right ? No worries about Windows viruses ?
Last question, when do you plan to release the fix ?
-
Just another stupid question :
Why not give a bug the name of the discoverer ? (like for stars, planets...) :P
This one should be the "Le Doc Bug" in the release history ;D