Intrusion PreventionAnti-Virus.Software.Magic.Byte.Detection.Evasion.MZ
Description
It indicates a possible exploit of detection bypass vulnerability in Multiple Vendor Anti-Virus products.
Multiple Vendor Anti-Virus products are prone to a weakness that may allow remote attackers to bypass virus scanning via a file such as BAT, HTML, and EML with an "MZ" magic byte sequence which is normally associated with EXE, which causes the file to be treated as a safe type that could still be executed as a dangerous file type by applications on the end system.
Affected Products
Ukranian National Antivirus UNA
Trend Micro PC-cillin 2005
Trend Micro OfficeScan Corporate Edition 7.0
TheHacker TheHacker Antivirus 5.8.4 .128
Sophos Anti-Virus 3.91
Panda Titanium
Norman Virus Control 5.81
McAfee VirusScan Enterprise 8.0
McAfee Internet Security Suite 7.1.5
Kaspersky Labs Anti-Virus 5.0.372
Ikarus Ikarus 2.32
Frisk Software F-Prot Antivirus 3.16 c
Fortinet Antivirus 2.48 .0.0
eTrust eTrust CA 7.0.14
Dr.Web Dr.Web 4.32 b
Cat Computer Services Quick Heal Antivirus 8.0
AVG AVG Anti-Virus 7.0.323
ArcaBit ArcaVir 2005.0
Impact
unauthorized access
Recommended Actions
Update Anti-Virus product when it is available.
Telemetry
Coverage
| IPS (Regular DB) | |
| IPS (Extended DB) |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2020-12-11 | 16.978 |
References
1| ID | 13298 |
| Created | Oct 17, 2006 |
| Updated | Nov 15, 2021 |
| Risk |
|
| CVE ID | CVE-2005-3379 CVE-2005-3372 CVE-2005-3374 CVE-2005-3377 CVE-2005-3370 CVE-2005-3381 CVE-2005-3375 CVE-2005-3373 CVE-2005-3382 CVE-2005-3376 CVE-2005-3371 CVE-2005-3380 |
| Exploit Prediction Score | 4.74% |
| Default Action | drop |
| Active | |
| Affected OS | Windows |
| Affected App | Other |