Dear [EMAIL PROTECTED], --Tuesday, September 16, 2003, 11:59:22 PM, you wrote to [EMAIL PROTECTED]:
ahc> Like any antivirus scanner, Symantec detects the Eicar test virus ahc> (eicar.exe or eicar.txt). At least, at first glance it appears to ahc> detect it. However, you can easily defeat this by adding a few ahc> bytes of random text before or after the Eicar string. For example, ahc> if you use a hex/text editor Probably you misunderstand what antiviral signature is. It's not some virus substring. Than researching virus, antiviral vendor makes an algorithm to catch virus behavior. If this virus is mutating, all _possible_ mutations must be catched by signature. The problem is, EICAR with 'few random bytes' is not possible mutation for EICAR, so catching it is not required for antiviral product :). And even more: catching changed EICAR string is invalid behaviour. In this case, you will not be able to read EICAR string on the web page or read it in e-mail message, as it was suggested by EICAR developers, because your antivirus will incorrectly think message or page is infected. -- ~/ZARAZA Клянусь лысиной пророка Моисея - я тебя сейчас съем. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
