REVISION 1.1 =========== Without "offensive" language.
PROBLEM ======== McAfee VirusScan Enterprise 8.0.0 (tested unpatched and with Patch 11) using the 4781 DAT file (dated 06/09/2006, perhaps also previous) and engine 4400 incorrectly identifies the "industry standard" EICAR test file as Elspy.worm . PROOF OF CONCEPT ================= @echo off :looper REM Make file >128 bytes ################# REM ###################################### REM ###################################### REM ###################################### echo [EMAIL PROTECTED](P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>testfile goto looper Cut & paste the above into Notepad (lines may wrap), save as a Windows CMD file & run it. VirusScan will report an instance of Elspy.worm once every three seconds (YMMV). RISK FACTOR =========== I dunno... you could probably make your "Enterprise AntiVirus Administrator" look like a clueless idiot. That's always fun! ADMISSION OF LAMENESS ===================== Yes, this is lame. It is also stupid that an "Enterprise" antivirus package cannot identify an EICAR test file properly. That's not MY problem. Also, I did ZERO research on this so if someone else has already published, mea culpa. VENDOR NOTIFICATION ================== None. HOLLA ===== Greetz to Dad & the Woolly Spook! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
