[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <44D785D0.9030603@c2i.net>
Date: Mon, 07 Aug 2006 20:26:24 +0200
From: Marius Huse Jacobsen <mahuja@....net>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: when will AV vendors fix this???
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Bipin Gautam wrote:
> cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R
>
> by this way a malicious executable can remain hidden in the system
> BYPASSING THE SCAN even when the AV scanner is run by administrator!!!
>
> BUT there isn't a compulsion that there should be a user with a
> malicious intension to get this condition & bypass the scan.
>
> there is another DUMB equivalent of the above cacls.exe command;
> Right click a folder, Properties > Sharing Tab >> Check on the tick
> mark of >> Make this Folder Private
In pro editions, we can edit the full ACL that cacls.exe changes from
the gui from the security tab.
> by doing so a user might me thinking he is making a folder
> not_accessable_to_any_other_system_user BUT by doing so... the
> directory gets effectively sciped by a AV scannner vulnerable to this
> trick.
The problem is that the virus scanner runs as a user, and has the same
restrictions on what the user can read as the user himself.
> SOLUTION:
> AV already running with administrative privilage if the system
> administrator is starting manual scan, so what does AV should do is
> excelate its (manual scan) OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not
> the GUI) privilage to SYSTEM before starting the scan which will
> effectively bypass file permission & be able to scan the locked file
> with any file permission in Windows!
You could do this by adding the administrator (or some dedicated AV
user?) to the backup operators group. Much less privelege given to those
programs that are already far too trusted.
> And one more thing, if during AV scan if a file can't be opened due to
> some processes LOCKING the file.... Instead of going through the
> regular file open process AV should instead directly read the SECTORS
> of the hdd holding the locked file and examine if there is sething
> malicious (which still some AV don't do & instead just report the
> file(s) as locked!)
I agree that something should be tried, the problem is just this: files
get locked for a reason. They could potentially get changed in mid-scan.
Nothing a well written scanner can't handle, I would think.
By the way, does any AV scanners have a clue about Alternate Data
Streams yet?
MaHuJa
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
iD8DBQFE14XQl9nYJJam7WsRA8bOAKCej45iLMo4Idzs2e7ydMekBcnzEQCfYYK1
j9Y/PvLvtQCVDVq7B3PeyWM=
=FHmH
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists