How to get AVP not detecting viruses in OLE2 files:
--------------------------------------------------

Note: OLE2 files are used by the majority of Office applications or by
Windows itself (.SHS files). They start with 0xD0, 0xCF bytes.

I discovered this problem of AVP some time ago when i was disassembling
some routine of his code.

Procedure :
1.- Take a macro virus and check AVP is detecting it.
2.- Open the file with a hex-editor and go to 0x48 position.
3.- Look at the double word; it should be 0 if the file is not too big.
4.- Change it for other value very high (example: 0x99999999).
5.- Check the file with AVP again and you will see it doesn't detect anything.
6.- You can check that the virus is still active and Word will load the file
    without any kind of problems. :-)
    You also can check that all the other AVs detect it without problems.

Explanation:

OLE2 files are like an easy file system, organized into something similar as
a FAT. For big file it uses a double FAT; his size is at 0x48 position (if
it's 0 means is not being used) and in the position 0x44 is his initial
"sector".

AVP, before analyze a file, tries to check if it's corrupted. In this case
we are making believe him that the file is bigger compared with the real
size of the disk and AVP believes is truncated. That's why AVP doesn't
analyze it.

Why Word and all the other antiviruses are not having the same problem?
Because they don't try to access to that field and never will access due the
file is smaller they never need to access really to those so high positions
of the file.

Tcp/29A