| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: visitbipin at yahoo.com (bipin gautam) Subject: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] --- 3APA3A <3APA3A@...URITY.NNOV.RU> wrote: > Dear bipin gautam, > > Your statements about "all antivirus" and "design > fault" are wrong, it's > strongly depend on the way manual scanning is > implemented in specific > product. > > 1. many antiviral products implement their own > kernel driver to access > scanned file. For this case permissions have no > impact for scanning. > hello 3APA3A, Ok ya... i already mentioned the fact, If the scanner is unable to drop the privilege and run under the security content of "dumb_user" the malicious code goes undetected. Correct me if i am wrong, but.... mostly (full-)system "manual scan" is executed as a administrative job......... and i've already mentioned the fact, its MORE* a NTFS file permission problem. http://www.geocities.com/visitbipin/all.html IF A FILE PERMISSION IS SET IN A WAY... only THE OWNER OF THE FILE HAS ACCESS TO THAT FILE, Even softwares running with ADMINISTRATIVE or SYSTEM privilage don't have access to the file, normally!!!!!!!!! Really strange, cauz root should have atlest read access to any file in the system regardless of the permission. Atlest, most trojan, spyware scanner gets executed as a admin. or system process. Regarding your statement, >antiviral products implement their own > kernel driver to access > scanned file. I tested on norton av 2003 and few spyware product "the cleaner" "Ad-aware" and by this way....... a trojan bypassed the protection. Guys, please confirm this issue then.... i ain't in a research lab, just using my home PC. i'll test the issue with mcafee and be back with the results > You still can bypass antiviral protection for > manual scans with file > encryption (on-access scanners may impersonate > accessing user). This > time file can only be scanned by administrator > if administrator is > recovery agent. > wow, i didn't thought of this..... bipin _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com
Powered by blists - more mailing lists