Bugtraq mailing list archives
Re: when will AV vendors fix this???
From: "Bipin Gautam" <gautam.bipin () gmail com>
Date: Tue, 8 Aug 2006 07:54:13 +0545
> This is similar to the problem of alternative data streams. Essentially, the work needed to solve this problem isn't worth the expenditure of time and effort, because the file, in order to infect the system, has to be executed. Once the file is executed "normal" on-access scanning will catch the exploit *if* it is known. (If it's unknown, it doesn't matter anyway.) Yes, on-demand scanning won't "see" the file, but even malicious files are benign until they are run.
i still insist, it might be a minor glitch to NOT ALLOW even admins to access a private file directly, but it isn't an issue with windows at all!!! I thought the the files should be accessed via "SeTcbPrivilege" BUT it doesn't. )O; but hey, most of "the file undelete utilities" already do this..... if you try reading/copying a EXISTING file (via sys admin privilage) using (say Restorer2000 Demo) it effectively bypasses file permission regardless if it...... & can read the file! there must be another undocumented? API doing this??? another note, even WINDOWS ONECAIR is pron to this bug. -bipin
Current thread:
- when will AV vendors fix this??? Bipin Gautam (Aug 07)
- Re: when will AV vendors fix this??? Denis Jedig (Aug 07)
- Re: when will AV vendors fix this??? Marius Huse Jacobsen (Aug 10)
- RE: when will AV vendors fix this??? Thomas D. (Aug 11)
- Re: when will AV vendors fix this??? Paul Schmehl (Aug 11)
- Re: when will AV vendors fix this??? Bipin Gautam (Aug 11)
- <Possible follow-ups>
- Re: when will AV vendors fix this??? Andreas Marx (Aug 18)
- Re: [Full-disclosure] Re: when will AV vendors fix this??? Paul Schmehl (Aug 18)