Bugtraq mailing list archives

Re: when will AV vendors fix this???

From: "Bipin Gautam" <gautam.bipin () gmail com>
Date: Tue, 8 Aug 2006 07:54:13 +0545

>
This is similar to the problem of alternative data streams.
Essentially, the work needed to solve this problem isn't worth the
expenditure of time and effort, because the file, in order to infect the
system, has to be executed.  Once the file is executed "normal"
on-access scanning will catch the exploit *if* it is known.  (If it's
unknown, it doesn't matter anyway.)  Yes, on-demand scanning won't "see"
the file, but even malicious files are benign until they are run.


i still insist, it might be a minor glitch to NOT ALLOW even admins to
access a private file directly, but it isn't an issue with windows at
all!!!
I thought the the files should be accessed via "SeTcbPrivilege" BUT it
doesn't. )O;

but hey, most of  "the file undelete utilities" already do this.....
if you try reading/copying a EXISTING file (via sys admin privilage)
using (say Restorer2000 Demo) it effectively bypasses file permission
regardless if it...... & can read the file! there must be another
undocumented? API doing this???

another note, even WINDOWS ONECAIR is pron to this bug.

-bipin

Current thread:

when will AV vendors fix this??? Bipin Gautam (Aug 07)
- Re: when will AV vendors fix this??? Denis Jedig (Aug 07)
- Re: when will AV vendors fix this??? Marius Huse Jacobsen (Aug 10)
- RE: when will AV vendors fix this??? Thomas D. (Aug 11)
- Re: when will AV vendors fix this??? Paul Schmehl (Aug 11)
  - Re: when will AV vendors fix this??? Bipin Gautam (Aug 11)
- <Possible follow-ups>
- Re: when will AV vendors fix this??? Andreas Marx (Aug 18)
  - Re: [Full-disclosure] Re: when will AV vendors fix this??? Paul Schmehl (Aug 18)