mailing list archives
RE: Long path exploit on NTFS
From: "Frank Heyne" <fh () rcs urz tu-dresden de>
Date: Fri, 8 Feb 2002 08:32:04 +0100
On 7 Feb 02, at 11:25, David Korn wrote:
It would be interesting if Frank could
describe the methodology he used, as the phrase "According to my own
tests" suggests he was not using the same script.
I am sorry, it was my mistake, because I did not choose clear wording.
I wrote Sophos would not "find" virii in long paths, which is wrong most
What I found is that Sophos does not "move" virii into the \Sophos\Infected
directory when it is told to do so, and the virii are in a long path.
This reads as "no action taken" in the Sophos report.
This means if you use a long path, you can write a virus on disk, and
though Sophos will log it, it will not stop you.
BTW, Sophos is unable to find all virii in the NTFS file system, but this
has nothing to do with the length of the path. If the virus is in an ADS,
Sophos might ignore it. I tested this with a vbs virus which I did put in a
file "a.txt:virus" while Sophos did not run. Then I started Sohos and
copied the virus into a new file "virus.txt" - Sophos did not complain.
The funny thing is that if you put the virus in a file "b.txt:virus.vbs",
Sophos will find it. And yes, Sohos is configured to find virii in files
I did not test other AV products, but probably they will have similiar