Hi, Just tried with clamscan and clamdscan v.0.71 on a OpenBSD 3.5, with these signatures: ClamAV update process started at Tue Jun 15 09:13:49 2004 main.cvd is up to date (version: 23, sigs: 21096, f-level: 2, builder: ddm) daily.cvd updated (version: 357, sigs: 866, f-level: 2, builder: ccordes) Database updated (21962 signatures) from database.clamav.net (152.66.249.132). mail# clamscan SERVER_dwn.zip SERVER_dwn.zip: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 21962 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 20.13 MB I/O buffer size: 131072 bytes Time: 9.006 sec (0 m 9 s) mail# mail# clamdscan SERVER_dwn.zip /var/amavis/SERVER_dwn.zip: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 8.053 sec (0 m 8 s) mail# No problems whatsoever. Regards Bo Rising Rasmussen it/security consultant brr@xxxxxxxxxxx > -----Original Message----- > From: bipin gautam [mailto:visitbipin@xxxxxxxxxxx] > Sent: Monday, June 14, 2004 4:39 PM > To: cert@xxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx > Cc: wk@xxxxxxx; vulndiscuss@xxxxxxxxxxxxx; > vulndiscuss-owner@xxxxxxxxxxxxx > Subject: Multiple Antivirus Scanners DoS attack. > > Multiple Antivirus Scanners DoS attack. > > --- [Vulnerable Products] --- > Only tested on... > > * Norton Antivirus 2002 > * Norton Antivirus 2003 > * Mcafee VirusScan 6 > * Network Associates (McAfee) VirusScan Enterprise 7.1 > * Windows Xp default ZIP manager [report's wrong size of > compress ZIP files.] > > There has been multiple reports [Unconfirmed] *F-Prot 4.4.2 > for Linux *Panda Antivirus > > Are vulnerable. > > > Risk Impact: Medium > > --- [Details] --- > > While having a manual scan of compressed files; several > Antivirus, Trojan, Spy ware scanners suffer a DoS attack if > the software tries to completely extract the archive and scan > its content for a hostile file. > > --- [Proof of Concept] --- > Please download this file. > http://www.geocities.com/visitbipin/SERVER_dwn.zip > > Moreover it's not safe to set automatically > 'Quarantine/delete' option set for your AV scanner as it may > try to Quarantine the virus by extracting the archive. > > ----------- > Bipin Gautam > http://www.geocities.com/visitbipin/ > > Disclaimer: The information in the advisory is believed to be > accurate at the time of printing based on currently available > information. Use of the information constitutes acceptance > for use in an AS IS condition. There are no warranties with > regard to this information. Neither the author nor the > publisher accepts any liability for any direct, indirect or > consequential loss or damage arising from use of, or reliance > on this information. > > _________________________________________________________________ > It's fast, it's easy and it's free. Get MSN Messenger today! > http://www.msn.co.uk/messenger > >
