Bugtraq mailing list archives
Re: when will AV vendors fix this???
From: Marius Huse Jacobsen <mahuja () c2i net>
Date: Mon, 07 Aug 2006 20:26:24 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Bipin Gautam wrote:
cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R by this way a malicious executable can remain hidden in the system BYPASSING THE SCAN even when the AV scanner is run by administrator!!! BUT there isn't a compulsion that there should be a user with a malicious intension to get this condition & bypass the scan. there is another DUMB equivalent of the above cacls.exe command; Right click a folder, Properties > Sharing Tab >> Check on the tick mark of >> Make this Folder Private
In pro editions, we can edit the full ACL that cacls.exe changes from the gui from the security tab.
by doing so a user might me thinking he is making a folder not_accessable_to_any_other_system_user BUT by doing so... the directory gets effectively sciped by a AV scannner vulnerable to this trick.
The problem is that the virus scanner runs as a user, and has the same restrictions on what the user can read as the user himself.
SOLUTION: AV already running with administrative privilage if the system administrator is starting manual scan, so what does AV should do is excelate its (manual scan) OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not the GUI) privilage to SYSTEM before starting the scan which will effectively bypass file permission & be able to scan the locked file with any file permission in Windows!
You could do this by adding the administrator (or some dedicated AV user?) to the backup operators group. Much less privelege given to those programs that are already far too trusted.
And one more thing, if during AV scan if a file can't be opened due to some processes LOCKING the file.... Instead of going through the regular file open process AV should instead directly read the SECTORS of the hdd holding the locked file and examine if there is sething malicious (which still some AV don't do & instead just report the file(s) as locked!)
I agree that something should be tried, the problem is just this: files get locked for a reason. They could potentially get changed in mid-scan. Nothing a well written scanner can't handle, I would think. By the way, does any AV scanners have a clue about Alternate Data Streams yet? MaHuJa -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFE14XQl9nYJJam7WsRA8bOAKCej45iLMo4Idzs2e7ydMekBcnzEQCfYYK1 j9Y/PvLvtQCVDVq7B3PeyWM= =FHmH -----END PGP SIGNATURE-----
Current thread:
- when will AV vendors fix this??? Bipin Gautam (Aug 07)
- Re: when will AV vendors fix this??? Denis Jedig (Aug 07)
- Re: when will AV vendors fix this??? Marius Huse Jacobsen (Aug 10)
- RE: when will AV vendors fix this??? Thomas D. (Aug 11)
- Re: when will AV vendors fix this??? Paul Schmehl (Aug 11)
- Re: when will AV vendors fix this??? Bipin Gautam (Aug 11)
- <Possible follow-ups>
- Re: when will AV vendors fix this??? Andreas Marx (Aug 18)
- Re: [Full-disclosure] Re: when will AV vendors fix this??? Paul Schmehl (Aug 18)