On Mon, 14 Mar 2005, Dr. Peter Bieringer wrote: > during investigation of Sober.l we got the idea to replace the spaces of a > filename contained in the ZIP archive by some escape sequences. > [...] > > Also we found that at least 2 AV scan programs from 2 vendors do not detect > the virus inside and report "clean" instead.
I think Sophos passes the test. I find that the underlying API (as exposed by a python wrapper) is able to detect the viruses in all cases. For the command line "sweep" utility, try adding the "-all" switch to your invocation: $ /usr/local/bin/sweep -ss -archive -all unfiltered-escape-sequences-in-filename-eicar.zip >>> Virus 'EICAR-AV-Test' found in file unfiltered-escape-sequences-in-filename-eicar.zip/Test_[2J_[2;5m_[1;31mHACKER ATTACK_[2;25m_[22;30m_[3q.txt/eicar_com.zip/eicar.com $ md5sum unfiltered-escape-sequences-in-filename-eicar.zip 38363004047dc11b206305bd3660d68f unfiltered-escape-sequences-in-filename-eicar.zip This is using engine 2.28.4, as in your tests. The consituent filenames are escaped before being displayed, too (sadly excepting ASCII BEL). Regards, Mike _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
