RE: Long path exploit on NTFS

["Frank Heyne" <fh () rcs urz tu-dresden de>]

On 7 Feb 02, at 11:25, David Korn wrote:

> It would be interesting if Frank could
> describe the methodology he used, as the phrase "According to my own
> tests" suggests he was not using the same script.

I am sorry, it was my mistake, because I did not choose clear wording.
I wrote Sophos would not "find" virii in long paths, which is wrong most 
often.
What I found is that Sophos does not "move" virii into the \Sophos\Infected 
directory when it is told to do so, and the virii are in a long path.
This reads as "no action taken" in the Sophos report.

This means if you use a long path, you can write a virus on disk, and 
though Sophos will log it, it will not stop you.

BTW, Sophos is unable to find all virii in the NTFS file system, but this 
has nothing to do with the length of the path. If the virus is in an ADS, 
Sophos might ignore it. I tested this with a vbs virus which I did put in a 
file "a.txt:virus" while Sophos did not run. Then I started Sohos and 
copied the virus into a new file "virus.txt" - Sophos did not complain.
The funny thing is that if you put the virus in a file "b.txt:virus.vbs", 
Sophos will find it. And yes, Sohos is configured to find virii in files 
without extensions. 
I did not test other AV products, but probably they will have similiar 
problems.


Greetings

Frank Heyne