[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <016201c6b9a5$4f85f7c0$e8f9a501@pitgroup.local>
Date: Mon, 7 Aug 2006 00:11:46 +0200
From: "<...>" <massimo@...ndmedia.si>
To: <full-disclosure@...ts.grok.org.uk>, "Denis Jedig" <seclists@...eticon.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: Re: when will AV vendors fix this???
good idea indeed and, since ntfs drivers are available for linux for a long
time now, someone really willing to fix the issue could start there...
----- Original Message -----
From: "Denis Jedig" <seclists@...eticon.de>
To: <full-disclosure@...ts.grok.org.uk>
Cc: <bugtraq@...urityfocus.com>
Sent: Saturday, August 05, 2006 10:35 AM
Subject: [Full-disclosure] Re: when will AV vendors fix this???
> On Sat, 5 Aug 2006 13:05:56 +0545 Bipin Gautam wrote:
>
--- cut ---
>> And one more thing, if during AV scan if a file can't be opened due to
>> some processes LOCKING the file.... Instead of going through the
>> regular file open process AV should instead directly read the SECTORS
>> of the hdd
>
> This might seem to be a bright idea at first, however, there are problems
> with this approach. For one, the AV system would have to interpret the
> filesystem on its own. Since NTFS is not documented and pretty
> complicated,
> this is an error-prone task and I have no confidence AV vendors might be
> able to master it correctly. Then, even if you are able to read sectors (a
> non-trivial task under Windows as well), a file is usually not locked
> without reason - it will likely undergo some changes even *during the
> scan*
> so the results will be mostly useless. What you'd use instead is the
> Volume
> Shadow Copy (aka Snapshot) feature as done with various backup
> applications.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists