<<< Date Index >>>     <<< Thread Index >>>

Viruses can evade Sophos Anti-Virus



Hi!

Product : Sophos Anti-Virus v3.93 (Client)
(SAV from now on)
OS : Microsoft Windows
Vendor informed ? : CCed on this post


What : Infected files can evade detection and be executed

Procedure :

 - install SAV in client mode.
 - download an infected file (http://www.eicar.org/download/eicar.com from
http://www.eicar.org/anti_virus_test_file.htm is a good test example) to
the Desktop
 - reboot
 - on next boot/login, double click the infected file on the desktop

Result : infected file is executed with no intervention from SAV

Details :

By default SAV does not check files when written, only when read or executed.
Therefore the download does not trigger any warnings.
Note that some download software does not simply save the downloaded file, but
saves it to a temporary location and then copies it to the final destination,
which involves file reading and triggers SAV warning (IE 6.x). Some others,
like wget, try to change the file time and also trigger a warning. FireFox 1.0.3
does no trigger any warning.

On boot/login, SAV is not immediatelly running (can be seen also by the color 
of the
systray indicator icon , "InterCheck Monitor"). It takes several seconds, 
depending
on system configuration, until SAV is fully functional. During that time there 
is no
virus protection. An user can start the file he downloaded in the previous 
session.

Note : the used example file eicar.com does not work directly in modern windows 
versions.
For testing I recommend using a short script :
command /c eicar
pause

saved as runit.bat on the Desktop.

Affected software : Sophos Antivirus v3.93 (client mode) on MS Windows Server 
2003

Probably affected software :
 - Sophos Anti-Virus v3.93 (client mode) on other Windows versions
 - other antivirus software, that might behave similarly (not tested by message 
author)

Regards,
David Balazic, computer user