I'd still argue... If the malicious code is a known variant and
recides in the computer exploiting the stated flaw, here are ppl.
argueing the AV will catch it during execution anyways. BUT there are
many scenerios when ADVANCE HERCULES SCAN, suspecious activity scans
etc are only (mostly) enabled
Dmitry Yu. Bolkhovityanov wrote:
Any type of data/file hiding (of course, alternate data streams in
the first place) can become the last brick required for some new attack
vector.
So, while currently I can't present any workable scenario, I
wouldn't consider such type of data hiding as "n
At 22:35 07.08.2006, Paul Schmehl wrote:
[...]
> This is similar to the problem of alternative data streams. Essentially, the
> work needed to solve this problem isn't worth the expenditure of time and
> effort, because the file, in order to infect the system, has to be executed.
> Once the fi
On Mon, 7 Aug 2006, Thomas D. wrote:
> And even if you hide the file, if it hide the way you describe, you aren't
> able to execute the file, until you give access to yourself. If you do this,
> the anti-virus program will also have access
>
>
> Keep in mind: If it is an unknown file (zero-d
>
This is similar to the problem of alternative data streams.
Essentially, the work needed to solve this problem isn't worth the
expenditure of time and effort, because the file, in order to infect the
system, has to be executed. Once the file is executed "normal"
on-access scanning will catch th
> -Original Message-
> From: Dude VanWinkle
> Sent: Monday, August 07, 2006 8:49 PM
> > So I might be able hide something, but I can't do anything.
>
> Well, there would be an access denied message for most AV scanners
> when it hit the file in question and couldnt even get a read.
>
As
Bipin Gautam wrote:
hello list,
This is actually a DESIGN BUG OF MOST(ALL?) Antivirus & trojan
scanners. ( ROOTKIT SCANNERS already DO THIS ) This issue is a MORE
THAN 1 YEAR OLD stuff but i see no fix till now
lately i've ONLY tested it on the following AV & few other spyware
scanner & saw
On 8/7/06, Thomas D. <[EMAIL PROTECTED]> wrote:
> -Original Message-
> From: Bipin Gautam
> Sent: Saturday, August 05, 2006 9:21 AM
> Subject: when will AV vendors fix this???
>
> to keep things simple, let me give you a situation;
>
> if there is a directory/file a EVIL_USER is willing
> -Original Message-
> From: Bipin Gautam
> Sent: Saturday, August 05, 2006 9:21 AM
> Subject: when will AV vendors fix this???
>
> to keep things simple, let me give you a situation;
>
> if there is a directory/file a EVIL_USER is willing to hide from
> antivirus scanner all he has to d
So it's the AV vendor's responsibility to fix the permissions within the OS? Personally,I'd be annoyed if my AV started randomly changing file permissions. On top of the fact,you would need access to the machine to reset permissions on the file/directory/etc.
before the AV scan took place. So un
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Bipin Gautam wrote:
> cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R
>
> by this way a malicious executable can remain hidden in the system
> BYPASSING THE SCAN even when the AV scanner is run by administrator!!!
>
> BUT there is
no, not really.
there are two approaches i know of.
1. the ntfs tools that come with most distros are not fully
supporting the ntfs.
2. the another approach uses some wine code and the original
windows dll's ->
1. may have some licensing issues (maybe not...)
2. is damn slw (honestly, it's
[Full-disclosure] Re: when will AV vendors fix this???
On Sat, 5 Aug 2006 13:05:56 +0545 Bipin Gautam wrote:
--- cut ---
And one more thing, if during AV scan if a file can't be opened due to
some processes LOCKING the file Instead of going through the
regular file open proc
On Sat, 5 Aug 2006 13:05:56 +0545 Bipin Gautam wrote:
> if there is a directory/file a EVIL_USER is willing to hide from
> antivirus scanner all he has to do is fire up a command prompt & run
> the command;
>
> cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R
Too simple - access is
14 matches
Mail list logo