Full Disclosure mailing list archives
Re: (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]
From: bipin gautam <visitbipin () yahoo com>
Date: Sat, 2 Oct 2004 07:03:35 -0700 (PDT)
Only tested on... Mcafee VirusScan professional (8.0.0.12) Norton Antivirus 2003 Ad-Aware (6.0.1.181) The Cleaner This is what i did, I craeated a account named "dumb_user" and log on to the account. I created a folder and copied a sample virus to the folder. Then i took the ownership of the folder and set the permission as, "I only can access" the folder and its content. eg: cacls.exe hUNT.exe /T /C /P dumb_user:R Then I switched back to "Administrative account" and tried doing "manual scan" for virus with mcafee and later norton in seperate machines. The manual scan was unable to pick the virus!!! But ya... if you try the same thing with a file and try executing the file the auto-protect engine will stop the virus from executing. So this is ONLY ISSUE FOR MANUAL SCAN ON ANTIVIRUS PRODUCTS. It seems like, in manual scan... the scanner runs under the security content of Administrator who is responsible for scanning the system........... hence the virus goes unnoticed due to NTFS file permission restriction. But, seems like... the Auto-Protect engine loads as a kernel driver so the virus gets stopped in the way during execution. *But ya... many trojan, spyware scanner i know just run with the Administrative privilage, so its a ISSUE for all those products. Please follow the procidure & confirm if other antivirus products are vulnerable as well. http://www.geocities.com/visitbipin/all.html thank you for your time, bipin gautam --- bipin gautam <visitbipin () yahoo com> wrote:
--- 3APA3A <3APA3A () SECURITY NNOV RU> wrote:Dear bipin gautam, Your statements about "all antivirus" and "design fault" are wrong, it's strongly depend on the way manual scanning is implemented in specific product. 1. many antiviral products implement their own kernel driver to access scanned file. For this case permissions have no impact for scanning.hello 3APA3A, Ok ya... i already mentioned the fact, If the scanner is unable to drop the privilege and run under the security content of "dumb_user" the malicious code goes undetected. Correct me if i am wrong, but.... mostly (full-)system "manual scan" is executed as a administrative job......... and i've already mentioned the fact, its MORE* a NTFS file permission problem. http://www.geocities.com/visitbipin/all.html IF A FILE PERMISSION IS SET IN A WAY... only THE OWNER OF THE FILE HAS ACCESS TO THAT FILE, Even softwares running with ADMINISTRATIVE or SYSTEM privilage don't have access to the file, normally!!!!!!!!! Really strange, cauz root should have atlest read access to any file in the system regardless of the permission. Atlest, most trojan, spyware scanner gets executed as a admin. or system process. Regarding your statement,antiviral products implement their own kernel driver to access scanned file.I tested on norton av 2003 and few spyware product "the cleaner" "Ad-aware" and by this way....... a trojan bypassed the protection. Guys, please confirm this issue then.... i ain't in a research lab, just using my home PC. i'll test the issue with mcafee and be back with the resultsYou still can bypass antiviral protection for manual scans with file encryption (on-access scanners may impersonate accessing user). This time file can only be scanned byadministratorif administrator is recovery agent.wow, i didn't thought of this..... bipin _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] GuidoZ (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] GuidoZ (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
- <Possible follow-ups>
- All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re: (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re: (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 03)
- Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] Kolja Powischer (Oct 04)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] GuidoZ (Oct 01)