Full Disclosure mailing list archives
Re: when will AV vendors fix this???
From: Bryan <bryan.madhatter () gmail com>
Date: Mon, 7 Aug 2006 12:45:03 -0500
So it's the AV vendor's responsibility to fix the permissions within the OS? Personally, I'd be annoyed if my AV started randomly changing file permissions. On top of the fact, you would need access to the machine to reset permissions on the file/directory/etc. before the AV scan took place. So unless you already have access to the machine or can convince the user to execute cacls this doesn't seem like much of a problem. In the first case, there are worse problems than how the AV runs and in the second you can't really cure stupid users since if they execute the command it's performing by design. Bryan On 8/5/06, Bipin Gautam <gautam.bipin () gmail com> wrote:
hello list, This is actually a DESIGN BUG OF MOST(ALL?) Antivirus & trojan scanners. ( ROOTKIT SCANNERS already DO THIS ) This issue is a MORE THAN 1 YEAR OLD stuff but i see no fix till now!!!! lately i've ONLY tested it on the following AV & few other spyware scanner & saw its still NOT fixed! Kaspersky Anti-Virus 6.x (latest) BitDefender 9 Professional Plus (latest) NOD32 (latest) OS tested: WINxp sp2 to keep things simple, let me give you a situation; if there is a directory/file a EVIL_USER is willing to hide from antivirus scanner all he has to do is fire up a command prompt & run the command; cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R next time EVEN when the administrator starts the antivirus "system scan" the TORJANED_FILE_OR_DIRECTORY_NAME will be effectively bypassed as the ownership of the directory is just of the user account named; EVIL_USER and the antivirus "manual scan" is running just with the privilage of ADMINISTRATOR by this way a malicious executable can remain hidden in the system BYPASSING THE SCAN even when the AV scanner is run by administrator!!! BUT there isn't a compulsion that there should be a user with a malicious intension to get this condition & bypass the scan. there is another DUMB equivalent of the above cacls.exe command; Right click a folder, Properties > Sharing Tab >> Check on the tick mark of >> Make this Folder Private by doing so a user might me thinking he is making a folder not_accessable_to_any_other_system_user BUT by doing so... the directory gets effectively sciped by a AV scannner vulnerable to this trick. SOLUTION: AV already running with administrative privilage if the system administrator is starting manual scan, so what does AV should do is excelate its (manual scan) OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not the GUI) privilage to SYSTEM before starting the scan which will effectively bypass file permission & be able to scan the locked file with any file permission in Windows! And one more thing, if during AV scan if a file can't be opened due to some processes LOCKING the file.... Instead of going through the regular file open process AV should instead directly read the SECTORS of the hdd holding the locked file and examine if there is sething malicious (which still some AV don't do & instead just report the file(s) as locked!) am i clear??? Discussions, welcome! --- Bipin Gautam http://bipin.tk Zeroth law of security: The possibility of poking a system from lower privilege is zero unless & until there is possibility of direct, indirect or consequential communication between the two...
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- when will AV vendors fix this??? Bipin Gautam (Aug 05)
- Re: when will AV vendors fix this??? Denis Jedig (Aug 05)
- Re: Re: when will AV vendors fix this??? <...> (Aug 06)
- Re: when will AV vendors fix this??? Marius Huse Jacobsen (Aug 07)
- Re: when will AV vendors fix this??? Bryan (Aug 07)
- RE: when will AV vendors fix this??? Thomas D. (Aug 07)
- Re: RE: when will AV vendors fix this??? Dude VanWinkle (Aug 07)
- RE: RE: when will AV vendors fix this??? Thomas D. (Aug 07)
- RE: RE: when will AV vendors fix this??? Dmitry Yu. Bolkhovityanov (Aug 11)
- Re: RE: when will AV vendors fix this??? Paul Schmehl (Aug 14)
- Re: RE: when will AV vendors fix this??? Bipin Gautam (Aug 15)
- Re: RE: when will AV vendors fix this??? Dude VanWinkle (Aug 07)
- Re: when will AV vendors fix this??? Denis Jedig (Aug 05)
- Re: when will AV vendors fix this??? Bipin Gautam (Aug 07)
- <Possible follow-ups>
- Re: Re: when will AV vendors fix this??? hatless (Aug 06)
- Re: when will AV vendors fix this??? Andreas Marx (Aug 14)