Re: How to hide a file ? (From McAfee)

["Jon Zobrist" <kgb () ussr com>]

McAfee Vshield doesn't pick up ADS's by default. You have to enable scanning
of all files in your Vshield settings.

Tested copying from share to share, scanning directly, opening.

Tested with a Codered captured from netcat. Attempts to open the file in
notepad result in McAfee stopping me and asking for action.

notepad codered.txt <access denied & mcafee warning>
type codered.txt > test.txt:codered.txt
notepad test.txt:codered.txt <opens fine>

Turning on scan all files causes attempts to access the ADS to give the same
access denied error as opening the original.
This could be useful to sneak in trojans/virii to a vscan'd server from an
already compromised host, say a users computer with NTFS....?

-Jon


----- Original Message -----
From: "Bojan Zdrnja" <Bojan.Zdrnja () FER hr>
To: "'Nick Lange'" <nicklange () wi rr com>; "'Patrick Chambet'"
<patrick.chambet () edelweb fr>; <vuln-dev () security-focus com>
Sent: Monday, January 14, 2002 2:11 AM
Subject: RE: How to hide a file ? (From most people)




> -----Original Message-----
> From: Nick Lange [mailto:nicklange () wi rr com]
> Sent: 12. sijeèanj 2002 10:08

> really?
> That's odd...
> This trick worked as stated on my win2k box.
> What version of win2k are you using?
> I believe I'm using the latest patches w/ sp's on a us-win2k install.
> cheers

I think this is perhaps Windows Explorer issue and not operating system
related.
On my testing machine here at work, I have Windows 2000 Service Pack 2 with
IE 6.0.2600.0000 (Q306121; Q312461; Q313675).

Best regards,

Bojan Zdrnja