|
Security Incidents
mailing list archives
RE: strange windows behaviour.
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: 09 Oct 2003 19:26:23 -0400
On Wed, 2003-10-08 at 16:44, Schmehl, Paul L wrote:
There's been a lot of discussion about this amongst av professionals.
There's really no advantage to scanning streams because they are
"inert".
Its not so much that its "inert", as there is no known wide spread virus
(notice the specific wording here ;-) that has leveraged the file
system. That and supporting streams means you have to handle NTFS
differently than FAT & FAT32. I wrote this about three years ago:
http://www.ists.dartmouth.edu/text/IRIA/knowledge_base/NTFS_advisory.php
In short, it explains how to nuke a system via streams. One nice twist
was that you where only vulnerable if you where actually running AV
software. ;-)
One AV vendor stepped up after my paper and started supporting streams.
The rest took a "let's wait and see" approach. AFAIK they still are.
In order for the trojan to do anything, it has to "come out of
hiding" as it were, and when it does, av on access scanning will detect
it **if it's a known trojan**.
Again, read the above referenced paper. An attacker can actually use
this functionality to their advantage to do damage or have the AV
software delete/move critical files for the AV software, personal
firewall, etc. etc.
HTH,
C
---------------------------------------------------------------------------
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Re: strange windows behaviour., (continued)
RE: strange windows behaviour. Harlan Carvey (Oct 09)
RE: strange windows behaviour. Chris Brenton (Oct 09)
RE: strange windows behaviour. Pepijn Vissers (Oct 09)
Re: strange windows behaviour. Karl Levinson (Oct 09)
RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
| 
Intro
