Security hole in on-access scanner ?

This is a repost because this bug is a vital security issue !!!
initial thread here : http://forum.avast.com/index.php?board=2;action=display;threadid=5090

Well it is definitly a HUGE security hole in avast on-access scanner !!! :o

If the directory or the file itself has an accentuated caracter (ex: éicar.com instead of eicar.com) the on-access scanner doesn’t identify it as a virus.

The conclusion is : avast users will not be protected at all for any virus containing an accentuated caracter or a regular named virus in a path containing an accentuated caracter !!!

I hope virus programmers will not read this post until you alwil guys fix this !! :-X

I’m glad i never had any virus named that way !! ::slight_smile:

I think i trully deserve a medal for that one :wink:

I tried renaming my EICAR.com into éicar.com and Avast detects it just fine.
No problems with it anyhow.

Well i can detect it with explorer scanner and on-demand scanner but the on-access scanner fails. Did you try the on-access scanner ? ie double click éicar.com.

Yup. In fact I only used the on-access scanner.
Double-clicking results a virus warning stating %docpath%\ICAR~1.COM is infected with EICAR Test-NOT virus!!.

%docpath% = The document path for EICAR.

Here are some screenshots:

  1. The filename I used for Avast. (I have also tried your filename with same results.)
  1. Attempt on accessing EICAR via the command line.
  1. When the command was issued on the command line, this popped up.

Well maybe the problem is only with french version of windows and / or avast… ???

First of all, LeDoc please try to keep it down a little bit. The title “HUGE security hole” is IMHO inadequate for this issue.

avast’s on-access scanner will detect viruses in files with any filenames because it is fully in Unicode. Version 4.0 used to be in ANSI and could’ve suffered from similar problems, but with the addition of support for East-Asian variants of avast in 4.1 it was not possible any more to ignore those strange-looking filenames…

To analyse the problem, check the Last Scanned File entry for the Standard Shield. Does it show the file?

Also executing a MS-DOS program such as eicar.com is not completely representative – that’s because Windows emulates DOS-mode for the program and doesn’t really use non-ANSI characters in that case (because MS-DOS mode is of course not Unicode compliant). A better test would be to e.g. put the .COM extension to the list of extensions to be scanned on-open and just opening the file in Notepad, or getting an EXE virus for Win32…

Hope this helps.
Vlk

Well after some tests,even best ITW antivirus named NOD32 couldn’t handle the EICAR.COM file renamed to filenames with accentuated characters inside filename. It has detected them,but it was unable to do anything with them. But if AV with all VB100% tests do this,than avast! can also. No worries then :stuck_out_tongue:

Where do you find a Eicar with a wierd filename? Or whats the way to rename one?

NOD32 isn’t a good program to use to test, it has almost no packer support, sketchy archival support, and misses even the most common bugs with simple renaming tricks. If you want benchmarks for overall detection, use F-Secure or AVK.

Now where can I find these special Eicar files you guys are testing with?

Oh ya, if you want to have some EICAR fun, and show how crappy the techniques are some AV’s use, read this:

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntbugtraq&F=P&S=&P=1734

Its sad, merely changed “Standard Eicar Test File” to “Standing Eicar Text File” will fool like half the AV’s out there. Thats not a vote of confidence, is it? Most likely, the saps just added the text string into their definitions and didn’t bother to do anything else.

Before putting the extension COM in the list, Notepad was able to open the file no problem. (Even with a accentuated character in place.) It seems that Avast by default does not scan COM files on open. (There isn’t any option to select all files for open.) After putting COM in place, Avast denied access for EICAR which has a accentuated character in place.
I have also tried a Win32 exe and it seems that Avast has no problem scanning accentuated character in filenames…
Weird? :-\

Not weird at all – on contrary, this is in perfect harmony with what I’ve said…

BTW you can scan ALL files on open of course – just put asterisk (I mean *) to the box…

Never thought of that. Thanks for the trick. :wink:

Kobra, it seems that Avast didn’t detect STANDING EICAR :stuck_out_tongue:
But I suppose that there is no reason for Avast to add heuristics for test files?

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0307&L=ntbugtraq&F=P&S=&P=1734

This article is one of the TOP 10 NONSENSES I’ve ever seen on the Internet.

But I don’t want to spend my time describing what exactly is wrong with it (unless someone asks me to do so).

:slight_smile:

Actually there is… Its an established testing standard by the Institute. Dr.Web AV was tricky, it was just looking for “EICAR” in the file… Modify it all you want, but if you remove EICAR, then its not detected whatsoever. That pretty lame if you ask me.

I have 20+ variants of Eicar now i’m working worth to see if I can spot any interesting trends with AV’s, but as the guy in that article says, generally they either use simple MD5 comparatives and definitions in a “All or Nothing” situation. If thats the case, then i’d have to say its painfully obvious how easy it is to bypass an AV. I’m going to have to install AVK, with its KAV+RAV engines, and double-level heuristical comparative engines, and see how that does. Of course, this isn’t totally scientific obviously, but I think it might be useful in determining which AV’s are easiest to “Sneak one past”.

I’d prefer to work with real virus samples though, which is what I usually work with. But this Eicar stuff seems interesting, at least for my curiosity, but i’m not sure the tests would mean anything in the end anyway. Still, something to do over the weekend… LOL!

Discuss.

Much useful if you do real samples and post the results :wink:

Of course, this isn't totally scientific obviously, but I think it might be useful in determining which AV's are easiest to "Sneak one past".

Wrong wrong wrong. Geez…

It’s just not like that. The eicar file is a STRICTLY defined set of 68*8=544 bits that make a UNIQUE signature that should SOLELY be identified as EICAR. Period. Furthermore, the signature has some additional limitations. For example, it must be located on the very beginning of the file, and must not be followed by anything other than no more than 128 whitespaces. Breaking of ANY of these rules MUST, following the eicar’s definition, imply the file not be detected.

For more info, read the oficial eicar spec: http://www.eicar.org/anti_virus_test_file.htm

This means the following: if you have 20+ variants of eicar, most probably only minority of them is real (i.e. is compliant to the specification).

Vlk

I see, so basically, any real modification of the file beyond say the character length, would invalidate it?

Anyway, so far, only Norman AV was able to pick up every possible way I changed the file within reasonable limitations… I even changed it some funny variations:

SACKO-NUTZSACK-ANTINUTZ-TEST-FILE and other variations, and Normal STILL picked it up. Then I turned off norman, and used every possible WIERD extension and naming definition I could think of, things like "MADONNA).ABC and other crap, and it still picked those up immediately upon entry to the directory.

Honestly, I don’t have Avast installed on this PC so I cannot check how it would handle those yet. But I don’t think ‘Standing’ in place of ‘Standard’ shouldn’t me missed, should it? I don’t know much about the inner workings of AV softwares (yet), but it seems to me changing a few letters shouldn’t negate the detection? Heuristics?