Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Multiple anti-virus software evasion SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Multiple anti-virus software evasion
Multiple Anti-virus software evasion

Anti-virus software from McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV are known to be vulnerable to an evasion attack where the attacker is able to craft a compressed file (zip) with malicious code and evade the scanning by anti-virus software.

The problem is caused by incorrect handling of header information within the zip file. Some anti-virus software would skip the scan for files that has zero size as indicated by the header. The header size information does not affect the decompression of the zip file.
Keep chasing Botnets

We have received numerous submissions of Botnets and we are working with authorities to shut them down. Thanks to all who have submitted info to us. If you have any info on Botnets, feel free to send it in.


Jason Lam, jason /AT/
I will be teaching next: Leading Cloud Security Design and Implementation - SANS Stay Sharp Winter 2022


93 Posts
ISC Handler
Oct 20th 2004

Sign Up for Free or Log In to start participating in the conversation!