[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <hec2jwetmmek$.dlg@syneticon.de>
Date: Sat, 5 Aug 2006 10:35:25 +0200
From: Denis Jedig <seclists@...eticon.de>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: when will AV vendors fix this???
On Sat, 5 Aug 2006 13:05:56 +0545 Bipin Gautam wrote:
> if there is a directory/file a EVIL_USER is willing to hide from
> antivirus scanner all he has to do is fire up a command prompt & run
> the command;
>
> cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R
Too simple - access is really denied to every user except evil_user in this
case - even to Administrators *and* SYSTEM. The only way to read this file
without resetting the CALs would go through the backup API of Windows.
> SOLUTION:
> AV already running with administrative privilage if the system
> administrator is starting manual scan, so what does AV should do is
> excelate its (manual scan) OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not
> the GUI) privilage to SYSTEM
Won't help. They really would need to rewrite their products to use the
backup API for file reading. This may have other implications I am not
aware of.
> And one more thing, if during AV scan if a file can't be opened due to
> some processes LOCKING the file.... Instead of going through the
> regular file open process AV should instead directly read the SECTORS
> of the hdd
This might seem to be a bright idea at first, however, there are problems
with this approach. For one, the AV system would have to interpret the
filesystem on its own. Since NTFS is not documented and pretty complicated,
this is an error-prone task and I have no confidence AV vendors might be
able to master it correctly. Then, even if you are able to read sectors (a
non-trivial task under Windows as well), a file is usually not locked
without reason - it will likely undergo some changes even *during the scan*
so the results will be mostly useless. What you'd use instead is the Volume
Shadow Copy (aka Snapshot) feature as done with various backup
applications.
> am i clear??? Discussions, welcome!
Implementing your suggestions (or "my" variations thereof) would mean
putting a lot of effort into implementation of an intrinsically broken and
useless idea of "malware scanners as a security measure". I've already done
some posting to bugtraq and full-disclosure on this topic which I won't
like to repeat here - check the archives if you're interested.
--
Denis Jedig
syneticon networks GbR http://syneticon.net/service/
Powered by blists - more mailing lists