lists wrote: > Multiple vulnerabilities has been found and corrected in clamav:
Guys, just a bit of generic (i.e. not specific to the above) background about such evasion advisories. How it works aka how to get fame and glory with no effort (nor skills): 1. Pick up eicar.com and pack it up with the chosen archive type 2. Fuzz it into several thousand different files 3. Run N unpacking utilities and M AV toolkits against the above fileset 4. Find any tool in N succeeding against a sample for which at least one AV in M fails 5. Get yourself a 1337 name and post your 3v4510n!!1 advisory 6. Wait for mitre to pick it up and assign a CVE id to it (don't worry no matter how crappy or inaccurate your description is, they surely will) Now this sounds quite severe, doesn't it? Since an antivirus is a security tool, if we can bypass it then we have a security bug. And that's quite correct. However (and that's what most people don't realise), is an archive handler bypass sufficient to bypass the AV as a whole? Fortunately no. ClamAV (but I'm sure this is the case with every other AV on the planet) uses archive and runtime packers handlers as mere helpers. They simply make it easier and more efficient to write signatures. But nothing stops us from publishing signatures against the raw archive. In fact, that's exactly what we do against archive formats and runtime packers that we don't currently handle. So, what's the practical impact of evasion sploits? In most cases, close to zero. How many malicious samples have we seen that actively exploit archive evasion? Zero. What happens if, in the future, we'll see malware exploiting them? We'll simply catch them with a signature (or bytecode) based on the raw archive file. What happens when we receive such advisories? We file comments to the reporter and, in the next stable version, we improve the code to handle more bastardized samples. We then notify the reporter which in no case have ever bothered to integrate our comments. Oh and one final note about the accuracy: > ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z file > formats, which allows remote attackers to bypass virus detection via It's quite funny to hear that the 7z handler is vulnerable in versions <0.96 because it was, in fact, introduced in 0.96... :) Cheers, --acab _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
