RE: strange windows behaviour.

From: Chris Brenton (cbrenton_at_chrisbrenton.org)
Date: 10/10/03

  • Next message: J Mike Rollins: "Re: strange windows behaviour." 
    To: "Schmehl, Paul L" <pauls@utdallas.edu>
Date: 09 Oct 2003 19:26:23 -0400

    On Wed, 2003-10-08 at 16:44, Schmehl, Paul L wrote:
    >
    > There's been a lot of discussion about this amongst av professionals.
    > There's really no advantage to scanning streams because they are
    > "inert".

    Its not so much that its "inert", as there is no known wide spread virus
    (notice the specific wording here ;-) that has leveraged the file
    system. That and supporting streams means you have to handle NTFS
    differently than FAT & FAT32. I wrote this about three years ago:
    http://www.ists.dartmouth.edu/text/IRIA/knowledge_base/NTFS_advisory.php

    In short, it explains how to nuke a system via streams. One nice twist
    was that you where only vulnerable if you where actually running AV
    software. ;-)

    One AV vendor stepped up after my paper and started supporting streams.
    The rest took a "let's wait and see" approach. AFAIK they still are.

    > In order for the trojan to do anything, it has to "come out of
    > hiding" as it were, and when it does, av on access scanning will detect
    > it **if it's a known trojan**.

    Again, read the above referenced paper. An attacker can actually use
    this functionality to their advantage to do damage or have the AV
    software delete/move critical files for the AV software, personal
    firewall, etc. etc.

    HTH,
    C

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: J Mike Rollins: "Re: strange windows behaviour."