lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20041002130224.68775.qmail@web20227.mail.yahoo.com>
From: visitbipin at yahoo.com (bipin gautam)
Subject: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]

--- 3APA3A <3APA3A@...URITY.NNOV.RU> wrote:

> Dear bipin gautam,
> 
> Your statements about "all antivirus" and "design
> fault" are wrong, it's
> strongly  depend  on  the way manual scanning is
> implemented in specific
> product.
> 
> 1.  many  antiviral products implement their own
> kernel driver to access
> scanned file. For this case permissions have no
> impact for scanning.
> 

hello 3APA3A,

Ok ya... i already mentioned the fact,  If the scanner
is unable to drop the privilege and run under the
security content of "dumb_user" the malicious code
goes undetected. Correct me if i am wrong, but....
mostly (full-)system "manual scan" is executed as a
administrative job......... and i've already mentioned
the fact, its MORE* a NTFS file permission problem.

http://www.geocities.com/visitbipin/all.html

IF A FILE PERMISSION IS SET IN A WAY... only THE OWNER
OF THE FILE HAS ACCESS TO THAT FILE, Even softwares
running with ADMINISTRATIVE or SYSTEM privilage don't
have access to the file, normally!!!!!!!!! Really
strange, cauz root should have atlest read access to
any file in the system regardless of the permission.

Atlest, most trojan, spyware scanner gets executed as
a admin. or system process. Regarding your statement, 

>antiviral products implement their own
> kernel driver to access
> scanned file.

I tested on norton av 2003 and few spyware product
"the cleaner" "Ad-aware" and by this way....... a
trojan bypassed the protection.

Guys, please confirm this issue then.... i ain't in a
research lab, just using my home PC. i'll test the
issue with mcafee and be back with the results

> You  still  can  bypass  antiviral protection for
> manual scans with file
> encryption  (on-access  scanners  may  impersonate
> accessing user). This
> time  file  can  only  be  scanned  by administrator
> if administrator is
> recovery agent.
> 

wow, i didn't thought of this.....

bipin


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ