TUCoPS :: Security App Flaws :: hack7106.htm

Viruses can evade Sophos Anti-Virus
Viruses can evade Sophos Anti-Virus

Hi!

Product : Sophos Anti-Virus v3.93 (Client)
(SAV from now on)
OS : Microsoft Windows
Vendor informed ? : CCed on this post


What : Infected files can evade detection and be executed

Procedure :

 - install SAV in client mode.
- download an infected file (http://www.eicar.org/download/eicar.com from
http://www.eicar.org/anti_virus_test_file.htm is a good test example) to 
the Desktop
 - reboot
 - on next boot/login, double click the infected file on the desktop

Result : infected file is executed with no intervention from SAV

Details :

By default SAV does not check files when written, only when read or executed.
Therefore the download does not trigger any warnings.
Note that some download software does not simply save the downloaded file, but
saves it to a temporary location and then copies it to the final destination,
which involves file reading and triggers SAV warning (IE 6.x). Some others,
like wget, try to change the file time and also trigger a warning. FireFox 1.0.3
does no trigger any warning.

On boot/login, SAV is not immediatelly running (can be seen also by the color of the
systray indicator icon , "InterCheck Monitor"). It takes several seconds, depending
on system configuration, until SAV is fully functional. During that time there is no
virus protection. An user can start the file he downloaded in the previous session.

Note : the used example file eicar.com does not work directly in modern windows versions.
For testing I recommend using a short script :
command /c eicar
pause

saved as runit.bat on the Desktop.

Affected software : Sophos Antivirus v3.93 (client mode) on MS Windows Server 2003

Probably affected software :
 - Sophos Anti-Virus v3.93 (client mode) on other Windows versions
 - other antivirus software, that might behave similarly (not tested by message author)

Regards,
David Balazic, computer user

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH