Bugtraq mailing list archives

Re: when will AV vendors fix this???

From: Denis Jedig <seclists () syneticon de>
Date: Sat, 5 Aug 2006 10:35:25 +0200

On Sat, 5 Aug 2006 13:05:56 +0545 Bipin Gautam wrote:

if there is a directory/file a EVIL_USER is willing to hide from
antivirus scanner all he has to do is fire up a command prompt & run
the command;

cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R


Too simple - access is really denied to every user except evil_user in this
case - even to Administrators *and* SYSTEM. The only way to read this file
without resetting the CALs would go through the backup API of Windows.

SOLUTION:
AV already running with administrative privilage if the system
administrator is starting manual scan, so what does AV should do is
excelate its (manual scan) OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not
the GUI) privilage to SYSTEM


Won't help. They really would need to rewrite their products to use the
backup API for file reading. This may have other implications I am not
aware of.

And one more thing, if during AV scan if a file can't be opened due to
some processes LOCKING the file.... Instead of going through the
regular file open  process AV should instead directly read the SECTORS
of the hdd


This might seem to be a bright idea at first, however, there are problems
with this approach. For one, the AV system would have to interpret the
filesystem on its own. Since NTFS is not documented and pretty complicated,
this is an error-prone task and I have no confidence AV vendors might be
able to master it correctly. Then, even if you are able to read sectors (a
non-trivial task under Windows as well), a file is usually not locked
without reason - it will likely undergo some changes even *during the scan*
so the results will be mostly useless. What you'd use instead is the Volume
Shadow Copy (aka Snapshot) feature as done with various backup
applications.

am i clear??? Discussions, welcome!


Implementing your suggestions (or "my" variations thereof) would mean
putting a lot of effort into implementation of an intrinsically broken and
useless idea of "malware scanners as a security measure". I've already done
some posting to bugtraq and full-disclosure on this topic which I won't
like to repeat here - check the archives if you're interested.

-- 
Denis Jedig
syneticon networks GbR             http://syneticon.net/service/

Current thread:

when will AV vendors fix this??? Bipin Gautam (Aug 07)
- Re: when will AV vendors fix this??? Denis Jedig (Aug 07)
- Re: when will AV vendors fix this??? Marius Huse Jacobsen (Aug 10)
- RE: when will AV vendors fix this??? Thomas D. (Aug 11)
- Re: when will AV vendors fix this??? Paul Schmehl (Aug 11)
  - Re: when will AV vendors fix this??? Bipin Gautam (Aug 11)
- <Possible follow-ups>
- Re: when will AV vendors fix this??? Andreas Marx (Aug 18)
  - Re: [Full-disclosure] Re: when will AV vendors fix this??? Paul Schmehl (Aug 18)