Re: when will AV vendors fix this???



On Sat, 5 Aug 2006 13:05:56 +0545 Bipin Gautam wrote:

if there is a directory/file a EVIL_USER is willing to hide from
antivirus scanner all he has to do is fire up a command prompt & run
the command;

cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R

Too simple - access is really denied to every user except evil_user in this
case - even to Administrators *and* SYSTEM. The only way to read this file
without resetting the CALs would go through the backup API of Windows.

SOLUTION:
AV already running with administrative privilage if the system
administrator is starting manual scan, so what does AV should do is
excelate its (manual scan) OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not
the GUI) privilage to SYSTEM

Won't help. They really would need to rewrite their products to use the
backup API for file reading. This may have other implications I am not
aware of.

And one more thing, if during AV scan if a file can't be opened due to
some processes LOCKING the file.... Instead of going through the
regular file open process AV should instead directly read the SECTORS
of the hdd

This might seem to be a bright idea at first, however, there are problems
with this approach. For one, the AV system would have to interpret the
filesystem on its own. Since NTFS is not documented and pretty complicated,
this is an error-prone task and I have no confidence AV vendors might be
able to master it correctly. Then, even if you are able to read sectors (a
non-trivial task under Windows as well), a file is usually not locked
without reason - it will likely undergo some changes even *during the scan*
so the results will be mostly useless. What you'd use instead is the Volume
Shadow Copy (aka Snapshot) feature as done with various backup
applications.

am i clear??? Discussions, welcome!

Implementing your suggestions (or "my" variations thereof) would mean
putting a lot of effort into implementation of an intrinsically broken and
useless idea of "malware scanners as a security measure". I've already done
some posting to bugtraq and full-disclosure on this topic which I won't
like to repeat here - check the archives if you're interested.

--
Denis Jedig
syneticon networks GbR http://syneticon.net/service/



Relevant Pages

  • [Full-disclosure] Re: when will AV vendors fix this???
    ... antivirus scanner all he has to do is fire up a command prompt & run ... case - even to Administrators *and* SYSTEM. ... without resetting the CALs would go through the backup API of Windows. ... excelate its OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not ...
    (Full-Disclosure)
  • Re: [Full-disclosure] RE: when will AV vendors fix this???
    ... > antivirus scanner all he has to do is fire up a command prompt & run ... > next time EVEN when the administrator starts the antivirus "system ... > BYPASSING THE SCAN even when the AV scanner is run by administrator!!! ...
    (Full-Disclosure)