Author Topic: Security hole in on-access scanner ?  (Read 15538 times)

0 Members and 1 Guest are viewing this topic.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:HUGE security hole in on-access scanner
« Reply #15 on: June 12, 2004, 08:42:55 PM »
Quote
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntbugtraq&F=P&S=&P=1734

This article is one of the TOP 10 NONSENSES I've ever seen on the Internet.

But I don't want to spend my time describing what exactly is wrong with it (unless someone asks me to do so).

:)
If at first you don't succeed, then skydiving's not for you.

Offline Kobra

  • Full Member
  • ***
  • Posts: 185
  • No Text
Re:HUGE security hole in on-access scanner
« Reply #16 on: June 12, 2004, 08:45:04 PM »
Never thought of that. Thanks for the trick. ;)

Kobra, it seems that Avast didn't detect STANDING EICAR :P
But I suppose that there is no reason for Avast to add heuristics for test files?

Actually there is.. Its an established testing standard by the Institute.  Dr.Web AV was tricky, it was just looking for "EICAR" in the file.. Modify it all you want, but if you remove EICAR, then its not detected whatsoever.  That pretty lame if you ask me.

I have 20+ variants of Eicar now i'm working worth to see if I can spot any interesting trends with AV's, but as the guy in that article says, generally they either use simple MD5 comparatives and definitions in a "All or Nothing" situation.  If thats the case, then i'd have to say its painfully obvious how easy it is to bypass an AV.  I'm going to have to install AVK, with its KAV+RAV engines, and double-level heuristical comparative engines, and see how that does.  Of course, this isn't totally scientific obviously, but I think it might be useful in determining which AV's are easiest to "Sneak one past".

I'd prefer to work with real virus samples though, which is what I usually work with. But this Eicar stuff seems interesting, at least for my curiosity, but i'm not sure the tests would mean anything in the end anyway.  Still, something to do over the weekend.. LOL!

Discuss.
« Last Edit: June 12, 2004, 08:48:25 PM by Kobra »

Offline softwareguy

  • Sr. Member
  • ****
  • Posts: 245
  • WARNING! Worm Found!
Re:HUGE security hole in on-access scanner
« Reply #17 on: June 12, 2004, 08:59:12 PM »
Much useful if you do real samples and post the results ;)

Avast - Your Worms Extinguisher

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:HUGE security hole in on-access scanner
« Reply #18 on: June 12, 2004, 09:01:21 PM »
Quote
Of course, this isn't totally scientific obviously, but I think it might be useful in determining which AV's are easiest to "Sneak one past".

Wrong wrong wrong. Geez...

It's just not like that. The eicar file is a STRICTLY defined set of 68*8=544 bits that make a UNIQUE signature that should SOLELY be identified as EICAR. Period. Furthermore, the signature has some additional limitations. For example, it must be located on the very beginning of the file, and must not be followed by anything other than no more than 128 whitespaces. Breaking of ANY of these rules MUST, following the eicar's definition, imply the file not be detected.


For more info, read the oficial eicar spec: http://www.eicar.org/anti_virus_test_file.htm  

This means the following: if you have 20+ variants of eicar, most probably only minority of them is real (i.e. is compliant to the specification).


Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Kobra

  • Full Member
  • ***
  • Posts: 185
  • No Text
Re:HUGE security hole in on-access scanner
« Reply #19 on: June 12, 2004, 09:11:09 PM »
I see, so basically, any real modification of the file beyond say the character length, would invalidate it?

Anyway, so far, only Norman AV was able to pick up every possible way I changed the file within reasonable limitations.. I even changed it some funny variations:

SACKO-NUTZSACK-ANTINUTZ-TEST-FILE and other variations, and Normal *STILL* picked it up.  Then I turned off norman, and used every possible WIERD extension and naming definition I could think of, things like "MADONNA).ABC and other crap, and it still picked those up immediately upon entry to the directory.

Honestly, I don't have Avast installed on this PC so I cannot check how it would handle those yet.  But I don't think 'Standing' in place of 'Standard' shouldn't me missed, should it? I don't know much about the inner workings of AV softwares (yet), but it seems to me changing a few letters shouldn't negate the detection?  Heuristics?
« Last Edit: June 12, 2004, 09:12:45 PM by Kobra »

Offline Le Doc

  • Sr. Member
  • ****
  • Posts: 230
  • Computer obey to orders, not to intentions.
    • La Halle online
Re:HUGE security hole in on-access scanner
« Reply #20 on: June 12, 2004, 11:03:38 PM »
First of all, LeDoc please try to keep it down a little bit. The title "HUGE security hole" is IMHO inadequate for this issue.

Sorry vlk, but i had a big shock finding out that avast didn't detect the eicar.com if it was placed in a path containing accents :
 -> c:\test\eicar.com (this one is detected)
 -> c:\tést\eicar.com (this one is not detected)

For the two tests i have only renamed the "test" directory, the eicar.com file is never modified. In the attached screen capture you can see that the last tested is the "tést" directory but the last infected is the "test" directory.

Quote
avast's on-access scanner will detect viruses in files with any filenames because it is fully in Unicode. Version 4.0 used to be in ANSI and could've suffered from similar problems, but with the addition of support for East-Asian variants of avast in 4.1 it was not possible any more to ignore those strange-looking filenames...

Hope you're right. I'll let you now with the next virus i will receive. A Netsky will come soon in my e-mail. I will copy it to the "tést" directory to see if the on-access scanner could detect it. If you don't read me for a while maybe i am reinstalling windows...

Quote
To analyse the problem, check the Last Scanned File entry for the Standard Shield. Does it show the file?

Yes positive ! it is shown in the last scanned file but accentuated caracters in the path are not displayed correctly.

Quote
Also executing a MS-DOS program such as eicar.com is not completely representative -- that's because Windows emulates DOS-mode for the program and doesn't really use non-ANSI characters in that case (because MS-DOS mode is of course not Unicode compliant). A better test would be to e.g. put the .COM extension to the list of extensions to be scanned on-open and just opening the file in Notepad, or getting an EXE virus for Win32...

Eicar.com is never detected when i open it with notepad and set extension on open to .COM...


Avast HE 4.1.418 (french)
Windows 2000 PRO (french) - SP4 + patches
nforce 2 motherboard (IGP)
AMD 1800+, 512 MB, 160 GB + 40 GB

Offline softwareguy

  • Sr. Member
  • ****
  • Posts: 245
  • WARNING! Worm Found!
Re:HUGE security hole in on-access scanner
« Reply #21 on: June 12, 2004, 11:09:08 PM »
Tried this also...
It seems that Avast supports Unicode scanning as Vlk pointed out.

Avast - Your Worms Extinguisher

Offline Le Doc

  • Sr. Member
  • ****
  • Posts: 230
  • Computer obey to orders, not to intentions.
    • La Halle online
Re:HUGE security hole in on-access scanner
« Reply #22 on: June 12, 2004, 11:29:45 PM »
Here are some screenshots:
1. The filename I used for Avast. (I have also tried your filename with same results.)

Well i can see in your screen capture that the file name is not the one i use (you have chinese or else caracters). I don't think that your tests mimics my tests.

Is someone using french avast and windows could do the test for me ? Thank you.

Avast HE 4.1.418 (french)
Windows 2000 PRO (french) - SP4 + patches
nforce 2 motherboard (IGP)
AMD 1800+, 512 MB, 160 GB + 40 GB

Offline softwareguy

  • Sr. Member
  • ****
  • Posts: 245
  • WARNING! Worm Found!
Re:HUGE security hole in on-access scanner
« Reply #23 on: June 12, 2004, 11:38:29 PM »
Maybe it's French Windows?
I have English Windows so I am not sure.

Avast - Your Worms Extinguisher

Offline Le Doc

  • Sr. Member
  • ****
  • Posts: 230
  • Computer obey to orders, not to intentions.
    • La Halle online
Re:HUGE security hole in on-access scanner
« Reply #24 on: June 13, 2004, 12:17:35 AM »
Can you post the equivalent screen capture i posted (the last file scanned by the on-access scanner).

Thanx !!

Avast HE 4.1.418 (french)
Windows 2000 PRO (french) - SP4 + patches
nforce 2 motherboard (IGP)
AMD 1800+, 512 MB, 160 GB + 40 GB

Offline softwareguy

  • Sr. Member
  • ****
  • Posts: 245
  • WARNING! Worm Found!
Re:HUGE security hole in on-access scanner
« Reply #25 on: June 13, 2004, 12:24:39 AM »
Here you go...

Avast - Your Worms Extinguisher

Offline Le Doc

  • Sr. Member
  • ****
  • Posts: 230
  • Computer obey to orders, not to intentions.
    • La Halle online
Re:Security hole in on-access scanner ?
« Reply #26 on: June 13, 2004, 12:31:49 AM »
this is very strange... On your screen you have non capital caracters and accents displayed correctly. On my french version, wich is supposed to support accents, i have capital letters and accents not displayed.

Alwil team, can someone please try to sort these strange things out ? Do i have to install english version to get french caracters ???

Anyway, softwareguy, thanx a lot for your help. I really appreciate  :D

Avast HE 4.1.418 (french)
Windows 2000 PRO (french) - SP4 + patches
nforce 2 motherboard (IGP)
AMD 1800+, 512 MB, 160 GB + 40 GB

Offline softwareguy

  • Sr. Member
  • ****
  • Posts: 245
  • WARNING! Worm Found!
Re:Security hole in on-access scanner ?
« Reply #27 on: June 13, 2004, 12:34:28 AM »
You are welcome Le Doc.
For the capital chars part, do you have them all caps or is Avast displaying it incorrectly?

Avast - Your Worms Extinguisher

Offline Fu Xuen

  • Newbie
  • *
  • Posts: 17
  • I'm a llama!
Re:Security hole in on-access scanner ?
« Reply #28 on: June 13, 2004, 12:05:18 PM »
Hi,

On my Windows XP Home SP1 French (and Avast! 4.1.412 French), both paths (i.e. C:\test\eicar.com and C:\tést\eicar.com) are detected as EICAR virus, on access and on context menu scan. Furthermore, paths are displayed correctly in last files scanned/infected fileds in the standard shield panel.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Security hole in on-access scanner ?
« Reply #29 on: June 13, 2004, 12:17:03 PM »
Same here - even on multiple machines. Sorry but I'm not able to simulate your problem. Are you using any of the last few avast versions? (I suppose so...).
If at first you don't succeed, then skydiving's not for you.