|
Title: Virus Scanner Flaw (Better Read This!) Post by: Phoenix on 2005-11-02, 05:58 Quote By adding some data to a file, an attacker could trick virus scanners into letting a malicious executable file pass through, security researcher Andrey Bayora wrote in an advisory last week. The problem lies in the scanning engine, which won't detect files that have the extra data. Bayora refers to that extra data as the "Magic Byte." The problem affects numerous antivirus products, including software from Trend Micro, McAfee, Computer Associates and Kaspersky Lab, said Bayora, who works as a computer security consultant in Israel. His advisory also lists several products that are not affected, including software from Symantec, F-Secure and BitDefender. http://news.com.com/Evasion+bug+bites+viru...ml?tag=nefd.top (http://news.com.com/Evasion+bug+bites+virus+shields/2100-1002_3-5924738.html?tag=nefd.top) Title: Re: Virus Scanner Flaw Post by: Tabun on 2005-11-02, 08:51 Allow me to take a moment to gently sneer at the people always laughing at me for using Symantec corporate Antivirus.. :]
Even so, it is not surprising, and I thought viruses were trying (with moderate succes) to do this for years now? Title: Re: Virus Scanner Flaw Post by: Phoenix on 2005-11-02, 09:15 Yeah, I don't get the hate for Symantec either. It works, it's caught infections on machines that the other stuff (*cough* McAfee *cough*) has outright missed. This isn't just an opinion either - I cleaned the infections off the machines myself. Thankfully I've never had an active virus infection on any of my own computers the 12 years I've owned PC's so far. I must be doing something right I think.
Aye, some viruses try to disguise themselves and modify themselves as they infect (see polymorphic) so the more advanced virus checkers use heuristics to try to catch virus-like activity which sometimes results in a false positive, but stops programs from infecting you even if the infecting agent doesn't have a signature in some database somewhere just yet. I think what's happened is some companies selling antivirus products rely more on consumer ignorance, the "Just leave it to us, WE know what's best for you" attitude. CA's approach of saying "oh no, you modified it so now it's a variant" stinks of this kind of BS, which is what I've come to expect of CA. I'm very surprised McAfee didn't respond at all, but I'm not surprised their product was vulnerable. If anything, McAfee has caused problems than done any good on systems I've seen it installed on. Said problems range from missed infections to system instabilities to outright hard crashes. Title: Re: Virus Scanner Flaw Post by: Tabun on 2005-11-02, 15:31 What makes all this harder for the average consumer is that a lot of AV software packages seem to merge under the same distributor label, or that developers of absolutely worthless scanners like "Norman Antivirus" prey on those believing to have bought "Norton"'s software etc.
Btw, I was also looking forward to hearing what McAfee (and others) would say in response.. they'll have to say something about it, sooner or later.. :] Title: Re: Virus Scanner Flaw Post by: Lopson on 2005-11-02, 23:12 Man I love my Symantec Corporate Edition 10.0! It's small, light, efficient & no year updates. I was kinda expecting that Norton was one in that list. I've seen McAfee's products like the Anit-Spam filter. That thing only works properly if you have McAfee anti-virus itself. Amazing. I was surprised about Kasperky though, I heard so many good things about it.
EDIT : My All-Time fav anti-virus was Microsoft's Anti-Virus Scanner for Windows 3.1. |