|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: strange windows behaviour.
From: Chris Brenton (cbrenton
chrisbrenton.org)
Date: Thu Oct 09 2003 - 18:26:23 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 2003-10-08 at 16:44, Schmehl, Paul L wrote:
>
> There's been a lot of discussion about this amongst av professionals.
> There's really no advantage to scanning streams because they are
> "inert".
Its not so much that its "inert", as there is no known wide spread virus
(notice the specific wording here ;-) that has leveraged the file
system. That and supporting streams means you have to handle NTFS
differently than FAT & FAT32. I wrote this about three years ago:
http://www.ists.dartmouth.edu/text/IRIA/knowledge_base/NTFS_advisory.php
In short, it explains how to nuke a system via streams. One nice twist
was that you where only vulnerable if you where actually running AV
software. ;-)
One AV vendor stepped up after my paper and started supporting streams.
The rest took a "let's wait and see" approach. AFAIK they still are.
> In order for the trojan to do anything, it has to "come out of
> hiding" as it were, and when it does, av on access scanning will detect
> it **if it's a known trojan**.
Again, read the above referenced paper. An attacker can actually use
this functionality to their advantage to do damage or have the AV
software delete/move critical files for the AV software, personal
firewall, etc. etc.
HTH,
C
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]