| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Aug 2006 20:20:03 +0200 From: "Thomas D." <whistl0r@...glemail.com> To: "'Bipin Gautam'" <gautam.bipin@...il.com>, <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com> Subject: RE: when will AV vendors fix this??? > -----Original Message----- > From: Bipin Gautam > Sent: Saturday, August 05, 2006 9:21 AM > Subject: when will AV vendors fix this??? > > to keep things simple, let me give you a situation; > > if there is a directory/file a EVIL_USER is willing to hide from > antivirus scanner all he has to do is fire up a command prompt & run > the command; > > cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R > > > next time EVEN when the administrator starts the antivirus "system > scan" the TORJANED_FILE_OR_DIRECTORY_NAME will be effectively > bypassed as the ownership of the directory is just of the user account > named; EVIL_USER and the antivirus "manual scan" is running just with > the privilage of ADMINISTRATOR> > > by this way a malicious executable can remain hidden in the system > BYPASSING THE SCAN even when the AV scanner is run by administrator!!! But I cannot execute this file, becaus I have no access. If I get access, the anti-virus program will also get access... So I might be able hide something, but I can't do anything. Also, to hide something, I have to bypass the autoprotection... You shouldn't be able to do this... -- Whistl0r
Powered by blists - more mailing lists