MIME tricks beat email virus scanners
Simple encoding dodges slip malware past gateways.
A security researcher released a report last week claiming that some simple manipulation allowed him to get mails containing the EICAR test virus string past a variety of mail scanning products. Software from BitDefender, ClamAV, F-Prot and Kaspersky was reported to be vulnerable to the trick.

Stuttgart-based Hendrik Wiemer used Base64 encoding, including non-standard characters which should be ignored on decoding, to create a MIME document including the virus scanner test string. This was then passed through a small selection of mail scanners, of which only Alwil avast! and Barracuda's Spam Firewall were not fooled by the alteration of the file. F-Secure's Linux Gateway product reported it could not scan the mail, while the rest let it through without comment. Many email clients, including Microsoft Outlook, would correctly reassemble the EICAR string on receipt.
Further encoding produced even more failures to detect. It remains unclear whether the proof of concept would be viable with more complex, genuine malware.
A blog entry describing the test, including perl code to generate sample mails with complex encoding, is here. More information and mail-scanner test files are available from heise Security.
11 December 2006
Tags:
del.icio.us
digg this
ARF published as IETF standard
Abuse report format helps auto-handling of email complaints
02 September 2010
Microsoft releases new fix for DLL vulnerability
Earlier workaround believed to be too complex for most users.
01 September 2010
Malicious tweets link to fake TweetDeck update
Twitter resets passwords for accounts that appear to have been hacked.
01 September 2010
94% of Internet users befriend unknown 'good-looking woman'
Sensitiva data shared after two-hour chat. (1 comment)
31 August 2010
Investment boost for Quick Heal
Indian security firm gets hefty cash injection.
27 August 2010

Quick Links
![]() |
Poll
When do you install software updates?Leave a comment
View 12 comments

2 hours ago
6 hours ago
VB100 certification
With another epic haul of 54 products to test this month, the VB test team could
have done without the bad behaviour of a number of products: terrible product
design, lack of accountability for activities, blatant false alarms in major
software, numerous problems detecting the WildList set, and some horrendous
instability under pressure. Happily, there were also some good performances to
balance things out. John Hawes has the details.
See full results.
Virus Bulletin currently has 208,232 registered users.



