Vulnerability Development mailing list archives
Re: How to hide a file ? (From McAfee)
From: "Kurt Seifried" <bugtraq () seifried org>
Date: Tue, 15 Jan 2002 16:06:20 -0700
McAfee Vshield doesn't pick up ADS's by default. You have to enable
scanning
of all files in your Vshield settings.
Tripwire and some other stuff does by default (yeah!). Handling ADS doesn't seem to slow things down much (tripwire checks each protected file for streams by default). There was a virus that used streams, http://www.cknow.com/vtutor/vtntfsads.htm [snip]
Turning on scan all files causes attempts to access the ADS to give the
same
access denied error as opening the original. This could be useful to sneak in trojans/virii to a vscan'd server from an already compromised host, say a users computer with NTFS....?
Yes and no. I believe some vendors now scan ADS's by default, as I mentioned before tripwire tosses through them and will warn if an ads on a protected file is created, deleted or the contents changed.
-Jon
Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
Current thread:
- RE: How to hide a file ? (From most people) Holmes, Ben (Jan 09)
- Re: How to hide a file ? (From most people) Patrick Chambet (Jan 10)
- RE: How to hide a file ? (From most people) Bojan Zdrnja (Jan 11)
- Re: How to hide a file ? (From most people) Nick Lange (Jan 12)
- Re: How to hide a file ? (From most people) Jonatan Bagge (Jan 14)
- Re: How to hide a file ? (From most people) Pieter-Bas IJdens (Jan 14)
- RE: How to hide a file ? (From most people) Bojan Zdrnja (Jan 14)
- Re: How to hide a file ? (From McAfee) Jon Zobrist (Jan 15)
- Re: How to hide a file ? (From McAfee) Kurt Seifried (Jan 16)
- RE: How to hide a file ? (From most people) Bojan Zdrnja (Jan 11)
- Re: How to hide a file ? (From most people) Patrick Chambet (Jan 10)