Multiple AV detection bypass Alert

Just discovered this and once again AVG seems to be in the clear !


Multiple Antivirus detection bypass by special crafted archive

Affected Products:
* Kaspersky Antivirus
* BitDefender Antivirus
* NOD32 Antivirus
* F-Prot Antivirus
* Avast Antivirus
* McAfee Antivirus
* Sophos Antivirus
* Symantec Antivurys
* Dr.Web Antivirus
* Avira Antivirus
* Norman Virus Control Antivirus
* Fortinet Antivirus
* VBA32 Antivirus
* Rising Antivirus
* AntiVir Antivirus
* eTrust-Iris Antivirus
* ArcaVir Antivirus
* eTrust-Vet Antivirus
* UNA Antivirus
* TheHacker
[+] May be others.....

Not affected:
* Grisoft AVG AntiVirus
* Ikarus AntiVirus
* ClamAV Antivirus
* Panda Antivirus
* CAT Quick Heal

http://shadock.net/secubox/AVCraftedArchive.html


StevieO

 

That is why I believe in the Layered approach of Security!! What gets bye one the second will stop it!!

Cheers,

 

It's the EICAR test and NOD handles it.

 

I wonder about the Antitrojans Ewido and Trojanhunter. Are they affected?

 

Reading the analysis below, it looks like it is just another packer and on opening the infected file(s) your AV will detect the malware enclosed providing the AV or AT has the necessary signature.

Most Anti-Trojans will also get the malicious file(s) when they are opened but usually your AV will detect them first.

Pilli

Analysis
__________

Specially crafted archive containing a virus will pass
through the antivirus system without detection.

An attacker can compress a malicious payload and evade
detection by some anti-virus software.

The bypassed malicious content does not pose a risk until
extracted from the RAR archive file. Malicious content
will be detected and eliminated by your Antivirus.

Contrary to Winzip or BitZipper which do not authorize the
opening of the file, Winrar open & extract it.

 

Why do you say NOD handles it when in the screenshots it obviously does not?

 

Search the NOD forum there are a number of threads about the EICAR test.

 

As far as i know F-Prot and avast! are affected only in On-Demand scans and not On-Access.

 

You are right it's a different one from the one i thought it was . Lots of anti-virus evading vulnerabilities in the past weeks.

 

That's why i run 2 antivirus in real time.

 

This can't be taken seriously.

That's all I have to say, I won't waste any (more) time on this.

 

What tipped you off? Could it be the subtle clue of the smiley?

 

I was talking about the test itself, if I wasn't I had quoted the person to whom I was referring.

 

They used jotti an virus total to confirm this? Unbelievable!



tD

 

They did? Omg

 

Why not? Lots of wilders member do.

 

ROFL

What's the deal to patch a MZ Sign into archive file?
Without a valid PE Header the file will not execute.
Next, without valid opcode after the entrypoint the file will crash/do nothing
Next, there's no selfextracting code called which passes the jump to the virus.

That Rar is able to extract this is a sideeffekt, but has nothing to do with antivirus detection bypass. So what's the problem?

 

Are you serious or kidding?

 

which av can run together without to cause problems?

 

Stephanos G and Smokey the guy's playing with you.

 

Is possible, and I assume you are right.

But remember, in real life it happens, trying to use f.e. 2 AV's in real-time and 2 firewalls.

 

Am I right in assuming that the AV's are only bybassed by the compressed "threat"?and once this "threat" is uncompressed your AV will "jump on it"? if this is the case whats the problem? because anything in a zip/rar/etc file is safe until you uncompress it anyway! or am I missing something here?

 

Exactly! Can we have some more explaination as to why this is being hyped so much?

 

I wouldn't be afraid of this "bypass" at all. You are fully protected if your real-time protection is turned on.

 

I'm under the impression people look for problems or "invent them" when they dont really exist because they have too much time on their hands!