OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Possible security issue in NAV2001 on Windows ME
From: Paul L Schmehl (paulsUTDALLAS.EDU)
Date: Mon Oct 23 2000 - 13:22:31 CDT


Comments below.

--On Monday, October 23, 2000 11:06 AM -0600 Steve
<steveSECURESOLUTIONS.ORG> wrote:

>
> I seem to remember a thread about them not scanning the Recycled directory
> as well. I am sure there are others.

There's a good reason for that. On access scanners should detect anything
viral that was being placed in the Recycle bin. Once it gets there, it's a
moot point. It's either going to be deleted or accessed again. In the
former case, it's gone. In the latter, it would be detected by the on
access scanner again.
>
[snip]
>
> When inside Windows ME, you are unable to copy/delete/move files into the
> _RESTORE directory. I would be willing to bet a round of beers that there
> is a registry key that controls this. So, you have to boot from a DOS
> boot disk in order to gain access to the protected directory. Kind of
> kills the chance of doing this remotely. Unless you managed to insert
> the copy process into the boot sequence before Windows ME boots and then
> wait for the user to reboot.

This is very common behavior in today's malware; make a system change and
lie in wait for a reboot - then activate the exploit. So a registry key to
set the status of the RESTORE directory would not protect against an
exploit of this nature.
>
[snip]
>
> I think it is a Windows ME issue as it is the O/S that is protecting that
> particular directory. Symantec probably does not scan that directory
> because they know that they are unable to make changes to the directory if
> required.

Why would that mitigate against scanning the directory? Possibly because,
like the Recycled bin, the only time something in that directory is a risk
to the system is when it is accessed, and the on access scanner should
detect that access and warn the operator.

You have to remember, on demand scanning is always a tradeoff between speed
and thoroughness. The larger the drive is (and the number of directories
and files are), the longer the scan takes, and the less likely the user is
to allow the scan to complete (unless they are knowledgeable are realize
the benefits outweigh the inconvenience.)

Since the RESTORE directory contains files that aren't used by the system
(in normal operation) and are duplicates of existing files, I'm sure
Symantec felt there was little to be gained by scanning them - on demand.

Paul L. Schmehl, paulsutdallas.edu
Technical Support Services Manager
The University of Texas at Dallas

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net