Carsten Willems

**Name of the Vulnerable Software and Affected Versions** Quick Heal versions 11.00 Command Antivirus version 5.2.11.5 F-Prot Antivirus version 4.6.2.117 Fortinet Antivirus version 4.2.254.0 K7 AntiVirus version 9.77.3565 Kaspersky Anti-Virus version 7.0.0.125 Microsoft Security Essentials version 2.0 NOD32 Antivirus version 5795 Norman Antivirus version 6.06.12 Panda Antivirus version 10.0.2.7 Rising Antivirus version 22.83.00.03 **Description** The issue allows remote attackers to bypass malware detection via a POSIX TAR file with an initial 7fELF character sequence. This affects the TAR file parser in various antivirus software products. **Recommendations** For Quick Heal version 11.00, update the TAR file parser to correctly handle POSIX TAR files. For Command Antivirus version 5.2.11.5, modify the malware detection mechanism to account for the 7fELF character sequence. For F-Prot Antivirus version 4.6.2.117, improve the TAR file parsing to prevent bypassing of malware detection. For Fortinet Antivirus version 4.2.254.0, enhance the antivirus engine to detect malware within POSIX TAR files. For K7 AntiVirus version 9.77.3565, update the antivirus software to properly handle the 7fELF character sequence. For Kaspersky Anti-Virus version 7.0.0.125, patch the TAR file parser to prevent malware detection bypass. For Microsoft Security Essentials version 2.0, update the Antimalware Engine to correctly parse POSIX TAR files. For NOD32 Antivirus version 5795, modify the antivirus software to detect malware in POSIX TAR files. For Norman Antivirus version 6.06.12, improve the TAR file parsing mechanism to prevent bypassing of malware detection. For Panda Antivirus version 10.0.2.7, update the antivirus engine to handle the 7fELF character sequence. For Rising Antivirus version 22.83.00.03, enhance the malware detection mechanism to account for POSIX TAR files.

**Name of the Vulnerable Software and Affected Versions** Quick Heal versions 11.00 Command Antivirus version 5.2.11.5 F-Prot Antivirus version 4.6.2.117 K7 AntiVirus version 9.77.3565 Norman Antivirus version 6.06.12 Rising Antivirus version 22.83.00.03 **Description** The issue allows remote attackers to bypass malware detection via a POSIX TAR file with an initial x42x5Ax68 character sequence. **Recommendations** For Quick Heal version 11.00, update to a version that fixes the TAR file parser issue. For Command Antivirus version 5.2.11.5, update to a version that fixes the TAR file parser issue. For F-Prot Antivirus version 4.6.2.117, update to a version that fixes the TAR file parser issue. For K7 AntiVirus version 9.77.3565, update to a version that fixes the TAR file parser issue. For Norman Antivirus version 6.06.12, update to a version that fixes the TAR file parser issue. For Rising Antivirus version 22.83.00.03, update to a version that fixes the TAR file parser issue.

**Name of the Vulnerable Software and Affected Versions** Quick Heal versions 11.00 Norman Antivirus version 6.06.12 Sophos Anti-Virus version 4.61.0 **Description** The issue allows remote attackers to bypass malware detection. This is achieved through a POSIX TAR file containing a specific character sequence (`57696E5A6970`) at a certain location in the file. **Recommendations** For Quick Heal version 11.00, update to a version that addresses this issue. For Norman Antivirus version 6.06.12, update to a version that addresses this issue. For Sophos Anti-Virus version 4.61.0, update to a version that addresses this issue.

**Name of the Vulnerable Software and Affected Versions** Bitdefender version 7.2 Comodo Antivirus version 7424 Emsisoft Anti-Malware version 5.1.0.1 eSafe version 7.0.17.0 F-Secure Anti-Virus version 9.0.16160.0 Ikarus Virus Utilities T3 Command Line Scanner version 1.1.97.0 McAfee Anti-Virus Scanning Engine version 5.400.0.1158 McAfee Gateway (formerly Webwasher) version 2010.1C nProtect Anti-Virus version 2011-01-17.01 **Description** The ELF file parser in the affected software allows remote attackers to bypass malware detection via an ELF file with a ustar character sequence at a certain location. **Recommendations** For Bitdefender version 7.2, update to a version that fixes the ELF file parser issue. For Comodo Antivirus version 7424, update to a version that fixes the ELF file parser issue. For Emsisoft Anti-Malware version 5.1.0.1, update to a version that fixes the ELF file parser issue. For eSafe version 7.0.17.0, update to a version that fixes the ELF file parser issue. For F-Secure Anti-Virus version 9.0.16160.0, update to a version that fixes the ELF file parser issue. For Ikarus Virus Utilities T3 Command Line Scanner version 1.1.97.0, update to a version that fixes the ELF file parser issue. For McAfee Anti-Virus Scanning Engine version 5.400.0.1158, update to a version that fixes the ELF file parser issue. For McAfee Gateway (formerly Webwasher) version 2010.1C, update to a version that fixes the ELF file parser issue. For nProtect Anti-Virus version 2011-01-17.01, update to a version that fixes the ELF file parser issue.

**Name of the Vulnerable Software and Affected Versions** AhnLab V3 Internet Security version 2011.01.18.00 Emsisoft Anti-Malware version 5.1.0.1 eSafe version 7.0.17.0 Ikarus Virus Utilities T3 Command Line Scanner version 1.1.97.0 Panda Antivirus version 10.0.2.7 **Description** The Microsoft EXE file parser in various security products allows remote attackers to bypass malware detection via an EXE file with a specific character sequence at a certain location. **Recommendations** For AhnLab V3 Internet Security version 2011.01.18.00, update to a newer version that addresses the EXE file parser issue. For Emsisoft Anti-Malware version 5.1.0.1, update to a newer version that addresses the EXE file parser issue. For eSafe version 7.0.17.0, update to a newer version that addresses the EXE file parser issue. For Ikarus Virus Utilities T3 Command Line Scanner version 1.1.97.0, update to a newer version that addresses the EXE file parser issue. For Panda Antivirus version 10.0.2.7, update to a newer version that addresses the EXE file parser issue.

**Name of the Vulnerable Software and Affected Versions** Comodo Antivirus version 7425 **Description** The issue concerns a bypass of malware detection in the Microsoft Office file parser. It can be exploited by remote attackers using a specifically crafted Office file that contains a `x50x4Bx53x70x58` character sequence at a certain location. **Recommendations** For Comodo Antivirus version 7425, consider updating to a newer version that addresses this issue, as no specific workaround is provided for this version.

**Name of the Vulnerable Software and Affected Versions** Comodo Antivirus version 7425 Sophos Anti-Virus version 4.61.0 **Description** The issue allows remote attackers to bypass malware detection in the Microsoft Office file parser. This is achieved by using an Office file with a ustar character sequence at a specific location. **Recommendations** For Comodo Antivirus version 7425, update the Microsoft Office file parser to prevent bypassing of malware detection. For Sophos Anti-Virus version 4.61.0, update the Microsoft Office file parser to prevent bypassing of malware detection.

**Name of the Vulnerable Software and Affected Versions** Emsisoft Anti-Malware version 5.1.0.1 Ikarus Virus Utilities T3 Command Line Scanner version 1.1.97.0 Quick Heal version 11.00 **Description** The issue allows remote attackers to bypass malware detection. This is achieved via a CAB file with a modified `reserved1` field. **Recommendations** For Emsisoft Anti-Malware version 5.1.0.1, consider updating to a newer version that addresses the CAB file parser issue. For Ikarus Virus Utilities T3 Command Line Scanner version 1.1.97.0, consider updating to a newer version that addresses the CAB file parser issue. For Quick Heal version 11.00, consider updating to a newer version that addresses the CAB file parser issue.

**Name of the Vulnerable Software and Affected Versions** Antiy Labs AVL SDK version 2.0.3.7 Quick Heal version 11.00 Command Antivirus version 5.2.11.5 eSafe version 7.0.17.0 F-Prot Antivirus version 4.6.2.117 Jiangmin Antivirus version 13.0.900 K7 AntiVirus version 9.77.3565 VBA32 version 3.12.14.2 **Description** The issue allows remote attackers to bypass malware detection by using a .tar.gz file with stray bytes at the end. This is related to the Gzip file parser in the affected software. **Recommendations** For Antiy Labs AVL SDK version 2.0.3.7, update to a version that fixes the Gzip file parser issue. For Quick Heal version 11.00, update to a version that fixes the Gzip file parser issue. For Command Antivirus version 5.2.11.5, update to a version that fixes the Gzip file parser issue. For eSafe version 7.0.17.0, update to a version that fixes the Gzip file parser issue. For F-Prot Antivirus version 4.6.2.117, update to a version that fixes the Gzip file parser issue. For Jiangmin Antivirus version 13.0.900, update to a version that fixes the Gzip file parser issue. For K7 AntiVirus version 9.77.3565, update to a version that fixes the Gzip file parser issue. For VBA32 version 3.12.14.2, update to a version that fixes the Gzip file parser issue.

**Name of the Vulnerable Software and Affected Versions** AVG Anti-Virus version 10.0.0.1190 Bitdefender version 7.2 Command Antivirus version 5.2.11.5 Emsisoft Anti-Malware version 5.1.0.1 F-Secure Anti-Virus version 9.0.16160.0 Fortinet Antivirus version 4.2.254.0 Ikarus Virus Utilities T3 Command Line Scanner version 1.1.97.0 Jiangmin Antivirus version 13.0.900 K7 AntiVirus version 9.77.3565 Kaspersky Anti-Virus version 7.0.0.125 McAfee Anti-Virus Scanning Engine version 5.400.0.1158 McAfee Gateway version 2010.1C NOD32 Antivirus version 5795 Norman Antivirus version 6.06.12 Rising Antivirus version 22.83.00.03 Sophos Anti-Virus version 4.61.0 Symantec Endpoint Protection 11 with AVEngine version 20101.3.0.103 Trend Micro AntiVirus version 9.120.0.1004 Trend Micro HouseCall version 9.120.0.1004 VBA32 version 3.12.14.2 **Description** The Gzip file parser in the listed antivirus software allows remote attackers to bypass malware detection via a .tar.gz file with multiple compressed streams. **Recommendations** For AVG Anti-Virus version 10.0.0.1190, update to a newer version that contains a fix for this issue. For Bitdefender version 7.2, update to a newer version that contains a fix for this issue. For Command Antivirus version 5.2.11.5, update to a newer version that contains a fix for this issue. For Emsisoft Anti-Malware version 5.1.0.1, update to a newer version that contains a fix for this issue. For F-Secure Anti-Virus version 9.0.16160.0, update to a newer version that contains a fix for this issue. For Fortinet Antivirus version 4.2.254.0, update to a newer version that contains a fix for this issue. For Ikarus Virus Utilities T3 Command Line Scanner version 1.1.97.0, update to a newer version that contains a fix for this issue. For Jiangmin Antivirus version 13.0.900, update to a newer version that contains a fix for this issue. For K7 AntiVirus version 9.77.3565, update to a newer version that contains a fix for this issue. For Kaspersky Anti-Virus version 7.0.0.125, update to a newer version that contains a fix for this issue. For McAfee Anti-Virus Scanning Engine version 5.400.0.1158, update to a newer version that contains a fix for this issue. For McAfee Gateway version 2010.1C, update to a newer version that contains a fix for this issue. For NOD32 Antivirus version 5795, update to a newer version that contains a fix for this issue. For Norman Antivirus version 6.06.12, update to a newer version that contains a fix for this issue. For Rising Antivirus version 22.83.00.03, update to a newer version that contains a fix for this issue. For Sophos Anti-Virus version 4.61.0, update to a newer version that contains a fix for this issue. For Symantec Endpoint Protection 11 with AVEngine version 20101.3.0.103, update to a newer version that contains a fix for this issue. For Trend Micro AntiVirus version 9.120.0.1004, update to a newer version that contains a fix for this issue. For Trend Micro HouseCall version 9.120.0.1004, update to a newer version that contains a fix for this issue. For VBA32 version 3.12.14.2, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** AhnLab V3 Internet Security version 2011.01.18.00 AVG Anti-Virus version 10.0.0.1190 Quick Heal version 11.00 Emsisoft Anti-Malware version 5.1.0.1 eSafe version 7.0.17.0 Fortinet Antivirus version 4.2.254.0 Ikarus Virus Utilities T3 Command Line Scanner version 1.1.97.0 Jiangmin Antivirus version 13.0.900 Kaspersky Anti-Virus version 7.0.0.125 Norman Antivirus version 6.06.12 Sophos Anti-Virus version 4.61.0 Symantec Endpoint Protection 11 with AVEngine version 20101.3.0.103 **Description** The issue allows remote attackers to bypass malware detection via a ZIP file containing an invalid block of data at the beginning. This is related to the ZIP file parser in the affected software. **Recommendations** For AhnLab V3 Internet Security version 2011.01.18.00, update to a newer version that fixes the ZIP file parser issue. For AVG Anti-Virus version 10.0.0.1190, update to a newer version that fixes the ZIP file parser issue. For Quick Heal version 11.00, update to a newer version that fixes the ZIP file parser issue. For Emsisoft Anti-Malware version 5.1.0.1, update to a newer version that fixes the ZIP file parser issue. For eSafe version 7.0.17.0, update to a newer version that fixes the ZIP file parser issue. For Fortinet Antivirus version 4.2.254.0, update to a newer version that fixes the ZIP file parser issue. For Ikarus Virus Utilities T3 Command Line Scanner version 1.1.97.0, update to a newer version that fixes the ZIP file parser issue. For Jiangmin Antivirus version 13.0.900, update to a newer version that fixes the ZIP file parser issue. For Kaspersky Anti-Virus version 7.0.0.125, update to a newer version that fixes the ZIP file parser issue. For Norman Antivirus version 6.06.12, update to a newer version that fixes the ZIP file parser issue. For Sophos Anti-Virus version 4.61.0, update to a newer version that fixes the ZIP file parser issue. For Symantec Endpoint Protection 11 with AVEngine version 20101.3.0.103, update to a newer version that fixes the ZIP file parser issue.

**Name of the Vulnerable Software and Affected Versions** AhnLab V3 Internet Security version 2011.01.18.00 Bitdefender version 7.2 Quick Heal version 11.00 Command Antivirus version 5.2.11.5 Comodo Antivirus version 7424 eSafe version 7.0.17.0 F-Prot Antivirus version 4.6.2.117 F-Secure Anti-Virus version 9.0.16160.0 McAfee Anti-Virus Scanning Engine version 5.400.0.1158 Norman Antivirus version 6.06.12 nProtect Anti-Virus version 2011-01-17.01 Panda Antivirus version 10.0.2.7 **Description** The ELF file parser in the affected software allows remote attackers to bypass malware detection via an ELF file with a modified endianness field. **Recommendations** For AhnLab V3 Internet Security version 2011.01.18.00, update to a newer version that fixes the ELF file parser issue. For Bitdefender version 7.2, update to a newer version that fixes the ELF file parser issue. For Quick Heal version 11.00, update to a newer version that fixes the ELF file parser issue. For Command Antivirus version 5.2.11.5, update to a newer version that fixes the ELF file parser issue. For Comodo Antivirus version 7424, update to a newer version that fixes the ELF file parser issue. For eSafe version 7.0.17.0, update to a newer version that fixes the ELF file parser issue. For F-Prot Antivirus version 4.6.2.117, update to a newer version that fixes the ELF file parser issue. For F-Secure Anti-Virus version 9.0.16160.0, update to a newer version that fixes the ELF file parser issue. For McAfee Anti-Virus Scanning Engine version 5.400.0.1158, update to a newer version that fixes the ELF file parser issue. For Norman Antivirus version 6.06.12, update to a newer version that fixes the ELF file parser issue. For nProtect Anti-Virus version 2011-01-17.01, update to a newer version that fixes the ELF file parser issue. For Panda Antivirus version 10.0.2.7, update to a newer version that fixes the ELF file parser issue.