Bugtraq mailing list archives
Re: when will AV vendors fix this???
From: Denis Jedig <seclists () syneticon de>
Date: Sat, 5 Aug 2006 10:35:25 +0200
On Sat, 5 Aug 2006 13:05:56 +0545 Bipin Gautam wrote:
if there is a directory/file a EVIL_USER is willing to hide from antivirus scanner all he has to do is fire up a command prompt & run the command; cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R
Too simple - access is really denied to every user except evil_user in this case - even to Administrators *and* SYSTEM. The only way to read this file without resetting the CALs would go through the backup API of Windows.
SOLUTION: AV already running with administrative privilage if the system administrator is starting manual scan, so what does AV should do is excelate its (manual scan) OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not the GUI) privilage to SYSTEM
Won't help. They really would need to rewrite their products to use the backup API for file reading. This may have other implications I am not aware of.
And one more thing, if during AV scan if a file can't be opened due to some processes LOCKING the file.... Instead of going through the regular file open process AV should instead directly read the SECTORS of the hdd
This might seem to be a bright idea at first, however, there are problems with this approach. For one, the AV system would have to interpret the filesystem on its own. Since NTFS is not documented and pretty complicated, this is an error-prone task and I have no confidence AV vendors might be able to master it correctly. Then, even if you are able to read sectors (a non-trivial task under Windows as well), a file is usually not locked without reason - it will likely undergo some changes even *during the scan* so the results will be mostly useless. What you'd use instead is the Volume Shadow Copy (aka Snapshot) feature as done with various backup applications.
am i clear??? Discussions, welcome!
Implementing your suggestions (or "my" variations thereof) would mean putting a lot of effort into implementation of an intrinsically broken and useless idea of "malware scanners as a security measure". I've already done some posting to bugtraq and full-disclosure on this topic which I won't like to repeat here - check the archives if you're interested. -- Denis Jedig syneticon networks GbR http://syneticon.net/service/
Current thread:
- when will AV vendors fix this??? Bipin Gautam (Aug 07)
- Re: when will AV vendors fix this??? Denis Jedig (Aug 07)
- Re: when will AV vendors fix this??? Marius Huse Jacobsen (Aug 10)
- RE: when will AV vendors fix this??? Thomas D. (Aug 11)
- Re: when will AV vendors fix this??? Paul Schmehl (Aug 11)
- Re: when will AV vendors fix this??? Bipin Gautam (Aug 11)
- <Possible follow-ups>
- Re: when will AV vendors fix this??? Andreas Marx (Aug 18)
- Re: [Full-disclosure] Re: when will AV vendors fix this??? Paul Schmehl (Aug 18)