|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Bypass Virus Checking
From: Paul L Schmehl (pauls
UTDALLAS.EDU)Date: Tue Feb 08 2000 - 14:50:20 CST
- Next message: Julian Midgley: "Zeus Web Server: Null Terminated Strings"
- Previous message: Aaron Ross: "Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)"
- In reply to: Eric D. Williams: "Re: Bypass Virus Checking"
- Reply: Paul L Schmehl: "Re: Bypass Virus Checking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I doubt this would work. To introduce a virus into the system, it has to
be loaded into memory as an active program, not just written to disk. As
soon as the virus-infected file/program was launched (and thus became
active), the A/V program should/would detect its presence and alert the
user.
The reason pagefile.sys and recycle bins are not normally included in
default scanning is precisely because in_those_locations a virus is
essentially benign. If one were to try to activate it, normal detection
routines should discover its presence and remove it before any infection of
files takes place.
Furthermore, only pagefile.sys on specific drive letters is excluded from
scanning. So your proposed technique of writing to a non-existant pagefile
would be precisely the same as writing to disk, which is a detectable
activity.
--On 2/3/00, 11:12 PM -0500 "Eric D. Williams" <ericINFOBRO.COM> wrote:
> Another stab with a little more clarity ---
>
Paul L. Schmehl, paulsutdallas.edu
Technical Support Services Manager
The University of Texas at Dallas
- Next message: Julian Midgley: "Zeus Web Server: Null Terminated Strings"
- Previous message: Aaron Ross: "Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)"
- In reply to: Eric D. Williams: "Re: Bypass Virus Checking"
- Reply: Paul L Schmehl: "Re: Bypass Virus Checking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]