mailing list archives
Re: when will AV vendors fix this???
From: "Bipin Gautam" <gautam.bipin () gmail com>
Date: Tue, 8 Aug 2006 07:54:13 +0545
This is similar to the problem of alternative data streams.
Essentially, the work needed to solve this problem isn't worth the
expenditure of time and effort, because the file, in order to infect the
system, has to be executed. Once the file is executed "normal"
on-access scanning will catch the exploit *if* it is known. (If it's
unknown, it doesn't matter anyway.) Yes, on-demand scanning won't "see"
the file, but even malicious files are benign until they are run.
i still insist, it might be a minor glitch to NOT ALLOW even admins to
access a private file directly, but it isn't an issue with windows at
I thought the the files should be accessed via "SeTcbPrivilege" BUT it
but hey, most of "the file undelete utilities" already do this.....
if you try reading/copying a EXISTING file (via sys admin privilage)
using (say Restorer2000 Demo) it effectively bypasses file permission
regardless if it...... & can read the file! there must be another
undocumented? API doing this???
another note, even WINDOWS ONECAIR is pron to this bug.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: when will AV vendors fix this??? Paul Schmehl (Aug 07)
- Re: Re: when will AV vendors fix this???, (continued)
Re: Re: when will AV vendors fix this??? hatless (Aug 06)
Re: when will AV vendors fix this??? Andreas Marx (Aug 14)
- Re: when will AV vendors fix this??? Bipin Gautam (Aug 08)