Author Topic: Security hole in on-access scanner ?  (Read 18810 times)

0 Members and 1 Guest are viewing this topic.

rloschmann

  • Guest
Security hole in on-access scanner ?
« on: June 12, 2004, 08:25:11 AM »
This is a repost because this bug is a vital security issue !!!
initial thread here : http://forum.avast.com/index.php?board=2;action=display;threadid=5090

Well it is definitly a HUGE security hole in avast on-access scanner !!!  :o

If the directory or the file itself has an accentuated caracter (ex: éicar.com instead of eicar.com) the on-access scanner doesn't identify it as a virus.

The conclusion is : avast users will not be protected at all for any virus containing an accentuated caracter or a regular named virus in a path containing an accentuated caracter !!!

I hope virus programmers will not read this post until you alwil guys fix this !!  :-X

I'm glad i never had any virus named that way !!  ::)

I think i trully deserve a medal for that one  ;)
« Last Edit: June 13, 2004, 12:25:06 AM by Le Doc »

softwareguy

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #1 on: June 12, 2004, 08:33:19 AM »
I tried renaming my EICAR.com into éicar.com and Avast detects it just fine.
No problems with it anyhow.

rloschmann

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #2 on: June 12, 2004, 08:42:44 AM »
Well i can detect it with explorer scanner and on-demand scanner but the on-access scanner fails. Did you try the on-access scanner ? ie double click éicar.com.

softwareguy

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #3 on: June 12, 2004, 09:21:19 AM »
Yup. In fact I only used the on-access scanner.
Double-clicking results a virus warning stating %docpath%\ICAR~1.COM is infected with EICAR Test-NOT virus!!.

%docpath% = The document path for EICAR.

softwareguy

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #4 on: June 12, 2004, 09:33:25 AM »
Here are some screenshots:
1. The filename I used for Avast. (I have also tried your filename with same results.)

softwareguy

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #5 on: June 12, 2004, 09:34:37 AM »
2. Attempt on accessing EICAR via the command line.

softwareguy

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #6 on: June 12, 2004, 09:35:29 AM »
3. When the command was issued on the command line, this popped up.

rloschmann

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #7 on: June 12, 2004, 10:38:20 AM »
Well maybe the problem is only with french version of windows and / or avast...  ???

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:HUGE security hole in on-access scanner
« Reply #8 on: June 12, 2004, 10:48:17 AM »
First of all, LeDoc please try to keep it down a little bit. The title "HUGE security hole" is IMHO inadequate for this issue.


avast's on-access scanner will detect viruses in files with any filenames because it is fully in Unicode. Version 4.0 used to be in ANSI and could've suffered from similar problems, but with the addition of support for East-Asian variants of avast in 4.1 it was not possible any more to ignore those strange-looking filenames...

To analyse the problem, check the Last Scanned File entry for the Standard Shield. Does it show the file?

Also executing a MS-DOS program such as eicar.com is not completely representative -- that's because Windows emulates DOS-mode for the program and doesn't really use non-ANSI characters in that case (because MS-DOS mode is of course not Unicode compliant). A better test would be to e.g. put the .COM extension to the list of extensions to be scanned on-open and just opening the file in Notepad, or getting an EXE virus for Win32...


Hope this helps.
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:HUGE security hole in on-access scanner
« Reply #9 on: June 12, 2004, 07:02:05 PM »
Well after some tests,even best ITW antivirus named NOD32 couldn't handle the EICAR.COM file renamed to filenames with accentuated characters inside filename. It has detected them,but it was unable to do anything with them. But if AV with all VB100% tests do this,than avast! can also. No worries then :P
Visit my webpage Angry Sheep Blog

Kobra

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #10 on: June 12, 2004, 07:59:14 PM »
Well after some tests,even best ITW antivirus named NOD32 couldn't handle the EICAR.COM file renamed to filenames with accentuated characters inside filename. It has detected them,but it was unable to do anything with them. But if AV with all VB100% tests do this,than avast! can also. No worries then :P

Where do you find a Eicar with a wierd filename? Or whats the way to rename one?

NOD32 isn't a good program to use to test, it has almost no packer support, sketchy archival support, and misses even the most common bugs with simple renaming tricks. If you want benchmarks for overall detection, use F-Secure or AVK.  

Now where can I find these special Eicar files you guys are testing with?
« Last Edit: June 12, 2004, 08:01:05 PM by Kobra »

Kobra

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #11 on: June 12, 2004, 08:18:02 PM »
Oh ya, if you want to have some EICAR fun, and show how crappy the techniques are some AV's use, read this:

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntbugtraq&F=P&S=&P=1734

Its sad, merely changed "Standard Eicar Test File" to "Standing Eicar Text File" will fool like half the AV's out there.  Thats not a vote of confidence, is it?  Most likely, the saps just added the text string into their definitions and didn't bother to do anything else.


softwareguy

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #12 on: June 12, 2004, 08:27:27 PM »
First of all, LeDoc please try to keep it down a little bit. The title "HUGE security hole" is IMHO inadequate for this issue.


avast's on-access scanner will detect viruses in files with any filenames because it is fully in Unicode. Version 4.0 used to be in ANSI and could've suffered from similar problems, but with the addition of support for East-Asian variants of avast in 4.1 it was not possible any more to ignore those strange-looking filenames...

To analyse the problem, check the Last Scanned File entry for the Standard Shield. Does it show the file?

Also executing a MS-DOS program such as eicar.com is not completely representative -- that's because Windows emulates DOS-mode for the program and doesn't really use non-ANSI characters in that case (because MS-DOS mode is of course not Unicode compliant). A better test would be to e.g. put the .COM extension to the list of extensions to be scanned on-open and just opening the file in Notepad, or getting an EXE virus for Win32...


Hope this helps.
Vlk
Before putting the extension COM in the list, Notepad was able to open the file no problem. (Even with a accentuated character in place.) It seems that Avast by default does not scan COM files on open. (There isn't any option to select all files for open.) After putting COM in place, Avast denied access for EICAR which has a accentuated character in place.
I have also tried a Win32 exe and it seems that Avast has no problem scanning accentuated character in filenames...
Weird?   :-\

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:HUGE security hole in on-access scanner
« Reply #13 on: June 12, 2004, 08:29:59 PM »
Not weird at all -- on contrary, this is in perfect harmony with what I've said...

BTW you can scan ALL files on open of course -- just put asterisk (I mean *) to the box...
If at first you don't succeed, then skydiving's not for you.

softwareguy

  • Guest
Re:HUGE security hole in on-access scanner
« Reply #14 on: June 12, 2004, 08:32:05 PM »
Never thought of that. Thanks for the trick. ;)

Kobra, it seems that Avast didn't detect STANDING EICAR :P
But I suppose that there is no reason for Avast to add heuristics for test files?
« Last Edit: June 12, 2004, 08:34:15 PM by softwareguy »