As part of a security analysis performed by Comsec, our security experts have identified a security flaw enabling the Evasion/Bypass of the scanning engine of PrivaWall Antivirus using Office XML formats.
As part of Comsec’s commitment for improving the security level and support the security community worldwide, the issue was responsibly disclosed to the vendor, waiting until patch release before disclosing it publicly.
The Proof-of-Concept was done by sending several files, containing both EICAR, and a ‘real’ arbitrary EXE file embedded (OLE) in a WordML document. Additionally, the icon that provide the user an indication of the format is encoded in .emz and can be modified to seem harmless instead of the default executable icon that is normally accompanied with a large warning sign by default.
Full vulnerability details can be found at – https://www.securityfocus.com/archive/1/521948/30/0/threaded.
