Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15327
HistoryDec 08, 2006 - 12:00 a.m.

Multiple Vendor Unusual MIME Encoding Content Filter Bypass

2006-12-0800:00:00
vulners.com
18
JSON

Several e-mail virus scanners can be tricked into passing an EICAR
test file if the following conditions are met:

  1. the EICAR file is encoded in Base64 including characters not in the
    standard alphabet (e.g. whitespaces) and
  2. the part containing the EICAR file is nested within one or several
    levels of multipart/mixed content.

Details and PoC can be found at:
http://www.quantenblog.net/security/virus-scanner-bypass

Vulnerable products:

  • BitDefender Mail Protection for SMB 2.0
  • ClamAV 0.88.6
  • F-Prot Antivirus for Linux x86 Mail Servers 4.6.6
  • Kaspersky Anti-Virus for Linux Mail Server 5.5.10

Not recognizing the EICAR file, but aborting the scan:

  • F-Secure Anti-Virus for Linux Gateways 4.65

Not vulnerable:

  • avast! for Linux/Unix Servers 2.0.0
JSON