Antivirus Scanners DoS attack

I have tested Avast! with the Antivirus Scanners DoS attack as reported on bugtraq. I finally got tired of waiting for the manual scan to complete after several minutes, and I cancelled the operation. Is Alwil aware of this? Is there a fix in progress?

Avast! Professional 4.1.418

Don’t understand what you want to say?

I do undestand. The archives you mean.

We’re aware of that and looking at possibilities to be as immune as possible… although it’s not entirely possbile…

The following was reported on bugtraq. (securityfocus.com)

[i]I doubt how many Antivirus/Trojan/Spyware scanners will choak to death while having a “manual scan” of this file. Please go ahead and give it a try.

http://www.geocities.com/visitbipin/SERVER_dwn.zip

I was woundering, what would be the results if such file gets stucked in an “AV gateway”[/i]

I tested this file, and Avast! can’t find the Escar file in the zip.
In my experience, once an exploit is reported it’s only a matter of time before it is seen in the wild. I was asking if Awlil was aware of the problem and if they are working on a solution.

Actually on my P4/3GHz the eicar is found in about 3 minutes… but anyway it’s not good. We’ll find a solution.

Please note that this ZIP is actually one of many - similar techniques exist and have been shown for all major archive formats and use different tricks. So a general solution is not really simple to find…

Yup. It takes a while for avast! to complete scan. It took less then 9 Sec for Command Antivirus to complete scan.

tECHNODROME

I tested it again without stopping it. Big mistake.

AMD XP-M 2500+ Avast Professional

After 20+ minutes the scanner crashed because it ran out of disk space. It used all 20G of free space I had. I had to restart and manualy delete the temp files.
I ran a boot scan and it scanned the zip quickly but did not find the eicar.

Tried a different machine.
AMD 64-M 3000+ Avast Home

Found the eicar in 11 minutes with no other problems. I did not try the boot scan on this machine. (40G of free disk space)

Strange…

nforce2 AMD XP3200+ , 1GB DDR400, STRIP SATA Raid, Windows XP Pro SP2 RC2

1st scan

Avast Pro needed 128seconds to find it
Avast Pro used 6MB temp space

GOTCHAAAAAAAAAAAAAAAAAAA

i renamed and i moved this file to another folder

2nd scan

D:\Downloads\a\111111111111111111111111111111111111111111234SERVER_dwn.zip

used right mouse menu Find Viruses in

then i repeated scan

scanner IMMEDIATELY become use 400MB of RAM and instead of using 6MB of space, it used 20MB / second, draining over 2GB of temp space and crashing …

3rd scan

i was trying to pust close at window to stop Avast scanning but scanner freezed and refused to free used avast’s TEMP files in TEMP folder …

serious flaws :slight_smile:

So this is something more like decompression bombs? Nice :slight_smile: :wink:

Well this IS a decompression bomb, nothing else…

Actually this flaw is only noticeble if you use Archive real-time scanning (useless) and all files scanning (also quiet useless).