Have you considered the possibility that some vendors at least may
include with each virus signature a set of file formats for which the
signature is valid, or just a flag to signify "all formats"?
If so, then the vendors will consider themselves not vulnerable, they
can simply update their virus definitions when and if variants with
different headers appear.
Even with 1:1 file format signatures, a vendor could presumable include
multiple virus definitions for one virus, one per file format, as
required
...
>For more details, screenshots and examples please read my article "The Magic
>of magic byte" at www.securityelf.org
...
--
Dave English Senior Software & Systems Engineer
Internet Platform Development, Thus plc
<andrey (at) securityelf (dot) org [email concealed]> writes
>Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through
>forged magic byte.
Interesting
Have you considered the possibility that some vendors at least may
include with each virus signature a set of file formats for which the
signature is valid, or just a flag to signify "all formats"?
If so, then the vendors will consider themselves not vulnerable, they
can simply update their virus definitions when and if variants with
different headers appear.
Even with 1:1 file format signatures, a vendor could presumable include
multiple virus definitions for one virus, one per file format, as
required
...
>For more details, screenshots and examples please read my article "The Magic
>of magic byte" at www.securityelf.org
...
--
Dave English Senior Software & Systems Engineer
Internet Platform Development, Thus plc
[ reply ]