mailing list archives
Re: Bypass Virus Checking
From: bsides () TOWERY COM (Brock Sides)
Date: Tue, 1 Feb 2000 14:46:13 -0600
NAV 4.0 running on NT successfully detects the EICAR test file even if
it's residing in RECYCLED.
Unix Systems Administration
bsides () towery com
On Sun, 30 Jan 2000, Neil Bortnak wrote:
Under Win95/98 the Recycle Bin is a system designed to make it easy for
users to "undelete" files. When a user deletes from the GUI, the file is
not really deleted but moved to a folder named "RECYCLED" located at the
root of that volume. If the folder does not exist, possibly because
nothing has ever been deleted on that volume, the directory is created.
The file is then renamed and information about the file's original name
and location are stored in an index file. When you look at the recycle
bin through the GUI, Windows reads the index files from each volume and
displays their contents. It does not display a raw directory listing.
You cannot easily access a raw directory listing through the GUI. When
you empty the recycle bin, Windows deletes all of the files in the
RECYCLED directories that have a corresponding entry in one of the
indexes. Therefore a file stored in a RECYCLED directory via DOS or a
program will not show up anywhere in the GUI and will not be deleted
when you empty the Recycle Bin.
4. Notes on NT
The exploit works great under NT. The anti-virus folk make the same
exclusions with NT checkers, presumably to deal with dual boot systems.
NT's default permissions allow this to work even when the machine is not
dual boot and has NTFS on all drives because EVERYONE can create
directories at the root. Just make a \RECYCLED directory and away you