Viruses can evade Sophos Anti-Virus
Hi!
Product : Sophos Anti-Virus v3.93 (Client)
(SAV from now on)
OS : Microsoft Windows
Vendor informed ? : CCed on this post
What : Infected files can evade detection and be executed
Procedure :
- install SAV in client mode.
- download an infected file (http://www.eicar.org/download/eicar.com from
http://www.eicar.org/anti_virus_test_file.htm is a good test example) to
the Desktop
- reboot
- on next boot/login, double click the infected file on the desktop
Result : infected file is executed with no intervention from SAV
Details :
By default SAV does not check files when written, only when read or executed.
Therefore the download does not trigger any warnings.
Note that some download software does not simply save the downloaded file, but
saves it to a temporary location and then copies it to the final destination,
which involves file reading and triggers SAV warning (IE 6.x). Some others,
like wget, try to change the file time and also trigger a warning. FireFox 1.0.3
does no trigger any warning.
On boot/login, SAV is not immediatelly running (can be seen also by the color
of the
systray indicator icon , "InterCheck Monitor"). It takes several seconds,
depending
on system configuration, until SAV is fully functional. During that time there
is no
virus protection. An user can start the file he downloaded in the previous
session.
Note : the used example file eicar.com does not work directly in modern windows
versions.
For testing I recommend using a short script :
command /c eicar
pause
saved as runit.bat on the Desktop.
Affected software : Sophos Antivirus v3.93 (client mode) on MS Windows Server
2003
Probably affected software :
- Sophos Anti-Virus v3.93 (client mode) on other Windows versions
- other antivirus software, that might behave similarly (not tested by message
author)
Regards,
David Balazic, computer user