> While it might be a vulnerability if the file is > extracted which it hasto be to be executed the > desktop scanner will detect it at that time. > Multiple layers of defense is your best option > As far as number 3 Antigen detects Eicar.
YAP, i never reported Antigen vulnerable to the 3'rd one. Though, In Local file header if you modify "general purpose bit flag" 7th & 8'th byte of a zip archive with \x2f Antigen is also seem to be vulnerable! While most unzip utilities are transperently able to extract SUCH* archive without any problem! Though,currently my only source of verifying this is via www.virustotal.com and some others. [Go, TRY IT THEER!] http://www.geocities.com/visitbipin/gpbf.zip > I can see if there is anything > else that you do not > think Antigen is doing correctly. (O; For instant, In the 'local file header" & "data descriptor" if you change the compressed size and uncompressed size to ZERO[iDEFENSE] or greater than the actual file size or less than the actual file size still there are many AV that can't scan the file properly. http://www.geocities.com/visitbipin/Antigen_b.zip http://www.geocities.com/visitbipin/Antigen_s.zip Moreover there are unzip utilities that goes to a loop if the filesize is changed to ffffffff ! Lets hope, AV don't have such faulty code! Just run the file through www.virustotal.com and you'll see. (I know, they aren't using up-to-date scan engine) Thanks, bipin __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
