Bugtraq mailing list archives
Re: Bypass Virus Checking
From: bsides () TOWERY COM (Brock Sides)
Date: Tue, 1 Feb 2000 14:46:13 -0600
NAV 4.0 running on NT successfully detects the EICAR test file even if it's residing in RECYCLED. -- Brock Sides Unix Systems Administration Towery Publishing bsides () towery com On Sun, 30 Jan 2000, Neil Bortnak wrote:
1.Background ------------ Under Win95/98 the Recycle Bin is a system designed to make it easy for users to "undelete" files. When a user deletes from the GUI, the file is not really deleted but moved to a folder named "RECYCLED" located at the root of that volume. If the folder does not exist, possibly because nothing has ever been deleted on that volume, the directory is created. The file is then renamed and information about the file's original name and location are stored in an index file. When you look at the recycle bin through the GUI, Windows reads the index files from each volume and displays their contents. It does not display a raw directory listing. You cannot easily access a raw directory listing through the GUI. When you empty the recycle bin, Windows deletes all of the files in the RECYCLED directories that have a corresponding entry in one of the indexes. Therefore a file stored in a RECYCLED directory via DOS or a program will not show up anywhere in the GUI and will not be deleted when you empty the Recycle Bin.
[snip]
4. Notes on NT -------------- The exploit works great under NT. The anti-virus folk make the same exclusions with NT checkers, presumably to deal with dual boot systems. NT's default permissions allow this to work even when the machine is not dual boot and has NTFS on all drives because EVERYONE can create directories at the root. Just make a \RECYCLED directory and away you go.
Current thread:
- Re: Bypass Virus Checking Russ Johnson (Jan 31)
- <Possible follow-ups>
- Re: Bypass Virus Checking Max Vision (Jan 31)
- Re: Bypass Virus Checking Martin Bene (Feb 02)
- Re: Bypass Virus Checking Bacano (Feb 01)
- Re: Bypass Virus Checking Brad Griffin (Feb 01)
- Re: Bypass Virus Checking Vladimir Dubrovin (Feb 02)
- Re: Bypass Virus Checking Brock Sides (Feb 01)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Fwd: CERT Advisory CA-2000-02 fury (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Ari Gordon-Schlosberg (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Marc Slemko (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Henrik Nordstrom (Feb 05)
- Re: Fwd: CERT Advisory CA-2000-02 Byron Alley (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Len Budney (Feb 08)
- Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e Adam Gray (Feb 07)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Fwd: CERT Advisory CA-2000-02 Henri Torgemane (Feb 03)