Re: Re: when will AV vendors fix this???

["<...>" <massimo () grandmedia si>]

good idea indeed and, since ntfs drivers are available for linux for a long 
time now, someone really willing to fix the issue could start there...

----- Original Message ----- 
From: "Denis Jedig" <seclists () syneticon de>
To: <full-disclosure () lists grok org uk>
Cc: <bugtraq () securityfocus com>
Sent: Saturday, August 05, 2006 10:35 AM
Subject: [Full-disclosure] Re: when will AV vendors fix this???


> On Sat, 5 Aug 2006 13:05:56 +0545 Bipin Gautam wrote:

--- cut ---

> > And one more thing, if during AV scan if a file can't be opened due to
> > some processes LOCKING the file.... Instead of going through the
> > regular file open  process AV should instead directly read the SECTORS
> > of the hdd
>
> This might seem to be a bright idea at first, however, there are problems
> with this approach. For one, the AV system would have to interpret the
> filesystem on its own. Since NTFS is not documented and pretty 
> complicated,
> this is an error-prone task and I have no confidence AV vendors might be
> able to master it correctly. Then, even if you are able to read sectors (a
> non-trivial task under Windows as well), a file is usually not locked
> without reason - it will likely undergo some changes even *during the 
> scan*
> so the results will be mostly useless. What you'd use instead is the 
> Volume
> Shadow Copy (aka Snapshot) feature as done with various backup
> applications.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/