RE: strange windows behaviour.

[Chris Brenton <cbrenton () chrisbrenton org>]

On Wed, 2003-10-08 at 16:44, Schmehl, Paul L wrote:
> There's been a lot of discussion about this amongst av professionals.
> There's really no advantage to scanning streams because they are
> "inert". 

Its not so much that its "inert", as there is no known wide spread virus
(notice the specific wording here ;-) that has leveraged the file
system. That and supporting streams means you have to handle NTFS
differently than FAT & FAT32. I wrote this about three years ago:
http://www.ists.dartmouth.edu/text/IRIA/knowledge_base/NTFS_advisory.php

In short, it explains how to nuke a system via streams. One nice twist
was that you where only vulnerable if you where actually running AV
software. ;-)

One AV vendor stepped up after my paper and started supporting streams.
The rest took a "let's wait and see" approach. AFAIK they still are.

>  In order for the trojan to do anything, it has to "come out of
> hiding" as it were, and when it does, av on access scanning will detect
> it **if it's a known trojan**.

Again, read the above referenced paper. An attacker can actually use
this functionality to their advantage to do damage or have the AV
software delete/move critical files for the AV software, personal
firewall, etc. etc.

HTH,
C



---------------------------------------------------------------------------
----------------------------------------------------------------------------