Re: [Full-Disclosure] (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]

From: bipin gautam (
Date: 10/02/04

  • Next message: Fixer: "[Full-Disclosure] XP Remote Desktop Remote Activation"
    Date: Sat, 2 Oct 2004 07:03:35 -0700 (PDT)

    Only tested on...

    Mcafee VirusScan professional (
    Norton Antivirus 2003
    Ad-Aware (
    The Cleaner

    This is what i did,

    I craeated a account named "dumb_user" and log on to
    the account.

    I created a folder and copied a sample virus to the
    folder. Then i took the ownership
    of the folder and set the permission as, "I only can
    access" the folder and its

    eg: cacls.exe hUNT.exe /T /C /P dumb_user:R

    Then I switched back to "Administrative account" and
    tried doing "manual scan"
    for virus with mcafee and later norton in seperate
    machines. The manual scan was unable
    to pick the virus!!!

    But ya... if you try the same thing with a file and
    try executing the file the
    auto-protect engine will stop the virus from
    executing. So this is ONLY ISSUE FOR MANUAL


    It seems like, in manual scan... the scanner runs
    under the security content of

    Administrator who is responsible for scanning the
    system........... hence the virus goes

    unnoticed due to NTFS file permission restriction.
    But, seems like... the Auto-Protect

    engine loads as a kernel driver so the virus gets
    stopped in the way during execution.

    *But ya... many trojan, spyware scanner i know just
    run with the Administrative privilage,

    so its a ISSUE for all those products.

    Please follow the procidure & confirm if other
    antivirus products are vulnerable as well.

    thank you for your time,

    bipin gautam
    --- bipin gautam <> wrote:

    > --- 3APA3A <3APA3A@SECURITY.NNOV.RU> wrote:
    > > Dear bipin gautam,
    > >
    > > Your statements about "all antivirus" and "design
    > > fault" are wrong, it's
    > > strongly depend on the way manual scanning is
    > > implemented in specific
    > > product.
    > >
    > > 1. many antiviral products implement their own
    > > kernel driver to access
    > > scanned file. For this case permissions have no
    > > impact for scanning.
    > >
    > hello 3APA3A,
    > Ok ya... i already mentioned the fact, If the
    > scanner
    > is unable to drop the privilege and run under the
    > security content of "dumb_user" the malicious code
    > goes undetected. Correct me if i am wrong, but....
    > mostly (full-)system "manual scan" is executed as a
    > administrative job......... and i've already
    > mentioned
    > the fact, its MORE* a NTFS file permission problem.
    > OWNER
    > running with ADMINISTRATIVE or SYSTEM privilage
    > don't
    > have access to the file, normally!!!!!!!!! Really
    > strange, cauz root should have atlest read access to
    > any file in the system regardless of the permission.
    > Atlest, most trojan, spyware scanner gets executed
    > as
    > a admin. or system process. Regarding your
    > statement,
    > >antiviral products implement their own
    > > kernel driver to access
    > > scanned file.
    > I tested on norton av 2003 and few spyware product
    > "the cleaner" "Ad-aware" and by this way....... a
    > trojan bypassed the protection.
    > Guys, please confirm this issue then.... i ain't in
    > a
    > research lab, just using my home PC. i'll test the
    > issue with mcafee and be back with the results
    > > You still can bypass antiviral protection for
    > > manual scans with file
    > > encryption (on-access scanners may impersonate
    > > accessing user). This
    > > time file can only be scanned by
    > administrator
    > > if administrator is
    > > recovery agent.
    > >
    > wow, i didn't thought of this.....
    > bipin
    > _______________________________
    > Do you Yahoo!?
    > Declare Yourself - Register online to vote today!
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter:

    Do you Yahoo!?
    Yahoo! Mail Address AutoComplete - You start. We finish.

    Full-Disclosure - We believe in it.

  • Next message: Fixer: "[Full-Disclosure] XP Remote Desktop Remote Activation"

    Relevant Pages