Security Incidents mailing list archives
RE: strange windows behaviour.
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: 09 Oct 2003 19:26:23 -0400
On Wed, 2003-10-08 at 16:44, Schmehl, Paul L wrote:
There's been a lot of discussion about this amongst av professionals. There's really no advantage to scanning streams because they are "inert".
Its not so much that its "inert", as there is no known wide spread virus (notice the specific wording here ;-) that has leveraged the file system. That and supporting streams means you have to handle NTFS differently than FAT & FAT32. I wrote this about three years ago: http://www.ists.dartmouth.edu/text/IRIA/knowledge_base/NTFS_advisory.php In short, it explains how to nuke a system via streams. One nice twist was that you where only vulnerable if you where actually running AV software. ;-) One AV vendor stepped up after my paper and started supporting streams. The rest took a "let's wait and see" approach. AFAIK they still are.
In order for the trojan to do anything, it has to "come out of hiding" as it were, and when it does, av on access scanning will detect it **if it's a known trojan**.
Again, read the above referenced paper. An attacker can actually use this functionality to their advantage to do damage or have the AV software delete/move critical files for the AV software, personal firewall, etc. etc. HTH, C --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: strange windows behaviour., (continued)
- Re: strange windows behaviour. Peter Moody (Oct 08)
- Re: strange windows behaviour. Harlan Carvey (Oct 08)
- Re: strange windows behaviour. Peter Moody (Oct 08)
- Re: strange windows behaviour. Derek (Oct 08)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Jeff Kell (Oct 09)
- Re: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Tobias Rice (Oct 10)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harlan Carvey (Oct 09)
- Administrivia: strange windows behaviour. Dan Hanson (Oct 09)
- RE: strange windows behaviour. Chris Brenton (Oct 09)
- RE: strange windows behaviour. Pepijn Vissers (Oct 09)
- Re: strange windows behaviour. Karl Levinson (Oct 09)
- Re: strange windows behaviour. Harlan Carvey (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 10)
- Re: strange windows behaviour. Derek (Oct 14)