<Quote> To: BugTraq Subject: Bypass of 22 Antivirus software with GDI+ bug exploit Mutations - part 2 Date: Mar 4 2005 9:03PM Author: Andrey Bayora <andrey hiddenbit org> Message-ID: <firstname.lastname@example.org> The first part is here: http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html First, this post isn't about how dangerous GDI+ bug or malicious JPEG image, but how good is your antivirus software. The issue is: only 1 out of 23 tested antivirus software can detect malicious JPEG image (after 6 month from the public disclosure date). Here is the link to results, JPEG file and my paper (GCIH practical) that describes how to create this one: http://www.hiddenbit.org/jpeg.htm This one vendor (Symantec) that can detect it, obviously do it with the heuristic detection (I don't work for them and didn't send them any file, moreover I know cases when Symantec didn't detect a virus that other vendors do). ClamAV antivirus detected this JPEG file 4 month ago, but strangely can't detect it now. What happened? What about 22 antivirus software vendors that miss this malicious JPEG? The pattern or problem in these JPEG files is known and still many antivirus software vendors miss it, did it can represent the quality of heuristic engines? OK, we know that any antivirus software can provide 100% protection? P.S. After my first post (October 14,2004) about this problem - all antivirus software vendors added detection to the demo file provided by me in couple of hours. Sadly for me, but it seems that they prefer playing cat and mouse and not improve heuristic engines? Regards, Andrey Bayora. CISSP, GCIH </Unquote> Tried it for myself with latest definitions and all bells and whistles set on high/deep/advanced etc. with NOD32 and like the post states, no evidence of anything out of the ordinary found.