-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Mar 15, 2005 at 05:45:58PM +0100, Dr. Peter Bieringer wrote: > >I STIL FIND IT happy to > >see there are lot of AV out there that cant scan such > >file properly to detect virus. > > The problem must be located in the unzip engine: > > We've created a mixed ZIP now: > > # unzip -l mixed-eicar.zip > Archive: mixed-eicar.zip > Length Date Time Name > -------- ---- ---- ---- > 308 03-10-05 12:00 Test^G^[[2J^[[2;5m^[[1;31mHACKER > ATTACK^[[2;25m^[[22;30m^[[3q.txt > 308 03-10-05 12:00 eicarcom2.zip > -------- ------- > 616 2 files > > > BTW: note here that "unzip" displays the escape sequences very proper! > > Available here: > <ftp://ftp.aerasec.de/pub/advisories/unfiltered-escape-sequences/mixed-eicar.zip> > > Some AV software detect the virus only in second part of the ZIP file, so > it looks like the first one is really skipped and not analysed. F-Prot seems to detect it correctly: VIRUS SIGNATURE FILES SIGN.DEF created 13 March 2005 SIGN2.DEF created 13 March 2005 MACRO.DEF created 11 March 2005 Search: mixed-eicar.zip Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /home/rodrigob/tmp/mixed-eicar.zip->Test^G^[[2J^[[2;5m^[[1;31mHACKER ATTACK^[[2;25m^[[22;30m^[[3q.txt->eicar_c->eicar.com Infection: EICAR_Test_File /home/rodrigob/tmp/mixed-eicar.zip->eicarcom2.zip->eicar_com.zip->eicar.com Infection: EICAR_Test_File Results of virus scanning: Files: 1 MBRs: 0 Boot sectors: 0 Objects scanned: 7 Infected: 2 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:00 - -- Rodrigo Barbosa <rodrigob@xxxxxxxxxxxxxxx> "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCNxtspdyWzQ5b5ckRApEcAKCHZTlzib/lH7LUjpL/FqEOtSsyegCfbW1a BSjnssdy4iIBXZyEcv/JF1Q= =M4rV -----END PGP SIGNATURE-----
