BugTraq
Multiple Vendor Unusual MIME Encoding Content Filter Bypass Dec 06 2006 02:24PM
Hendrik Weimer (hendrik enyo de) (2 replies)
Several e-mail virus scanners can be tricked into passing an EICAR
test file if the following conditions are met:

1. the EICAR file is encoded in Base64 including characters not in the
standard alphabet (e.g. whitespaces) and
2. the part containing the EICAR file is nested within one or several
levels of multipart/mixed content.

Details and PoC can be found at:
http://www.quantenblog.net/security/virus-scanner-bypass

Vulnerable products:
- BitDefender Mail Protection for SMB 2.0
- ClamAV 0.88.6
- F-Prot Antivirus for Linux x86 Mail Servers 4.6.6
- Kaspersky Anti-Virus for Linux Mail Server 5.5.10

Not recognizing the EICAR file, but aborting the scan:
- F-Secure Anti-Virus for Linux Gateways 4.65

Not vulnerable:
- avast! for Linux/Unix Servers 2.0.0

[ reply ]
Re: Multiple Vendor Unusual MIME Encoding Content Filter Bypass Dec 07 2006 02:15PM
Tomasz Kojm (tkojm clamav net) (3 replies)
Re: Multiple Vendor Unusual MIME Encoding Content Filter Bypass Dec 07 2006 07:33PM
michele.sandrelli (at) katamail (dot) com [email concealed] (michele sandrelli katamail com)
Re[2]: Multiple Vendor Unusual MIME Encoding Content Filter Bypass Dec 07 2006 07:00PM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)
Re: Multiple Vendor Unusual MIME Encoding Content Filter Bypass Dec 07 2006 07:31PM
Tomasz Kojm (tkojm clamav net)
Re: Multiple Vendor Unusual MIME Encoding Content Filter Bypass Dec 07 2006 05:57PM
Luke Borg (lborg hcssystems com)
Re: Multiple Vendor Unusual MIME Encoding Content Filter Bypass Dec 07 2006 12:30PM
Gadi Evron (ge linuxbox org)


 

Privacy Statement
Copyright 2010, SecurityFocus