Re: [Full-disclosure] Re: when will AV vendors fix this???

[Paul Schmehl <pauls () utdallas edu>]

Andreas Marx wrote:
> At 22:35 07.08.2006, Paul Schmehl wrote:
>
> [...]
> > This is similar to the problem of alternative data streams. Essentially, the work needed to solve this problem isn't worth the expenditure of time and 
> > effort, because the file, in order to infect the system, has to be executed.  Once the file is executed "normal" on-access scanning will catch the 
> > exploit *if* it is known.  (If it's unknown, it doesn't matter anyway.)  Yes, on-demand scanning won't "see" the file, but even 
> > malicious files are benign until they are run.
> [...]
>
> No, that's not the case. On-Access scanner *might* be able to catch the malware (if it's a known variant), but it could be 
> that the scanner is missing the file, depending on it's implementation. The same applies to the On-Demand scanner: it might or 
> might not detect it, even if the *known* malware can still run on a system, as many tricks exists to get the file executed. Here are 
> two articles showing this with ADS, including some test results:
You've got my curiosity now.  Are you saying that no AV product will 
"see" exploit once it enters memory?  Granted, that's one step further 
than on-access, but I thought that all AV products (now) were looking at 
memory for file accesses.

--
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature