Bugtraq mailing list archives

Re: when will AV vendors fix this???

From: Marius Huse Jacobsen <mahuja () c2i net>
Date: Mon, 07 Aug 2006 20:26:24 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Bipin Gautam wrote:

cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R

by this way a malicious executable can remain hidden in the system
BYPASSING THE SCAN even when the AV scanner is run by administrator!!!

BUT there isn't a compulsion that there should be a user with a
malicious intension to get this condition & bypass the scan.

there is another DUMB equivalent of the above cacls.exe command;
Right click a folder, Properties > Sharing Tab >> Check on the tick
mark of >> Make this Folder Private


In pro editions, we can edit the full ACL that cacls.exe changes from
the gui from the security tab.

by doing so a user might me thinking he is making a folder
not_accessable_to_any_other_system_user BUT by doing so... the
directory gets effectively sciped by a AV scannner vulnerable to this
trick.


The problem is that the virus scanner runs as a user, and has the same
restrictions on what the user can read as the user himself.

SOLUTION:
AV already running with administrative privilage if the system
administrator is starting manual scan, so what does AV should do is
excelate its (manual scan) OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not
the GUI) privilage to SYSTEM before starting the scan which will
effectively bypass file permission & be able to scan the locked file
with any file permission in Windows!


You could do this by adding the administrator (or some dedicated AV
user?) to the backup operators group. Much less privelege given to those
programs that are already far too trusted.

And one more thing, if during AV scan if a file can't be opened due to
some processes LOCKING the file.... Instead of going through the
regular file open  process AV should instead directly read the SECTORS
of the hdd holding the locked file and examine if there is sething
malicious (which still some AV don't do & instead just report the
file(s) as locked!)


I agree that something should be tried, the problem is just this: files
get locked for a reason. They could potentially get changed in mid-scan.
Nothing a well written scanner can't handle, I would think.



By the way, does any AV scanners have a clue about Alternate Data
Streams yet?


MaHuJa

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)

iD8DBQFE14XQl9nYJJam7WsRA8bOAKCej45iLMo4Idzs2e7ydMekBcnzEQCfYYK1
j9Y/PvLvtQCVDVq7B3PeyWM=
=FHmH
-----END PGP SIGNATURE-----

Current thread:

when will AV vendors fix this??? Bipin Gautam (Aug 07)
- Re: when will AV vendors fix this??? Denis Jedig (Aug 07)
- Re: when will AV vendors fix this??? Marius Huse Jacobsen (Aug 10)
- RE: when will AV vendors fix this??? Thomas D. (Aug 11)
- Re: when will AV vendors fix this??? Paul Schmehl (Aug 11)
  - Re: when will AV vendors fix this??? Bipin Gautam (Aug 11)
- <Possible follow-ups>
- Re: when will AV vendors fix this??? Andreas Marx (Aug 18)
  - Re: [Full-disclosure] Re: when will AV vendors fix this??? Paul Schmehl (Aug 18)