• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Vendor Anti-Virus Magic Byte Detection Evasion Vulnerability

Severity: HIGH

Description:

Multiple vendor anti-virus software is prone to a detection evasion vulnerability. This issue is due to a failure in the various anti-virus software to properly scan files that have a forged header.

The problem presents itself in the way the scanning engine of the various anti-virus software, determines what type of file it is scanning. An attacker can, through the use of magic bytes, trick the anti-virus software into thinking a malicious file is of a different type, possibly evading further scanning, or evading certain types of scanning.

An attacker can exploit this vulnerability to pass malicious files passed the anti-virus software. This results in a false sense of security, and ultimately could lead to the execution of arbitrary code on the victim user's machine.

Affected Products:

• AVG AVG Anti-Virus 7.0.323
• ArcaBit ArcaVir 2005.0.0
• Cat Computer Services Quick Heal Antivirus 8.0.0
• Dr.Web Dr.Web 4.32.0b
• Fortinet Antivirus 2.48.0.0.0
• Frisk Software F-Prot Antivirus 3.16.0 c
• Ikarus Ikarus 2.32.0
• Kaspersky Labs Anti-Virus 5.0.372
• McAfee Internet Security Suite 7.1.5
• McAfee VirusScan Enterprise 8.0.0
• Norman Virus Control 5.81.0
• Panda Titanium 0.0.0
• Sophos Anti-Virus 3.91.0
• TheHacker TheHacker Antivirus 5.8.4.128
• Trend Micro OfficeScan Corporate Edition 7.0.0
• Trend Micro PC-cillin 2005
• Ukranian National Antivirus UNA 0.0.0
• eTrust eTrust CA 7.0.14

References:

• Andrey Bayora: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forg
• Andrey Bayora: The Magic of magic byte
• Andrey Bayora: Update for Magic Byte Bug

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.