<<< Date Index >>>     <<< Thread Index >>>

Re: when will AV vendors fix this???



At 22:35 07.08.2006, Paul Schmehl wrote:

[...]
> This is similar to the problem of alternative data streams. Essentially, the 
> work needed to solve this problem isn't worth the expenditure of time and 
> effort, because the file, in order to infect the system, has to be executed.  
> Once the file is executed "normal" on-access scanning will catch the exploit 
> *if* it is known.  (If it's unknown, it doesn't matter anyway.)  Yes, 
> on-demand scanning won't "see" the file, but even malicious files are benign 
> until they are run.
[...]

No, that's not the case. On-Access scanner *might* be able to catch the malware 
(if it's a known variant), but it could be that the scanner is missing the 
file, depending on it's implementation. The same applies to the On-Demand 
scanner: it might or might not detect it, even if the *known* malware can still 
run on a system, as many tricks exists to get the file executed. Here are two 
articles showing this with ADS, including some test results:

Dangers from the Twilight Zone | Alternate Data Streams can still be hiding 
places for malware
Microsoft's NTFS file system supports Alternate Data Streams to store 
additional information about a file. Malware can lurk in such streams. 
Nonetheless, a year and a half after the first ADS test of 18 virus scanners 
still not all of them reliably detect malware in ADS. [...]
<http://www.heise-security.co.uk/articles/74892>

Gefahr aus der Schattenwelt, Teil 2 | Alternate Data Streams als Versteck für 
Schädlinge
Microsofts NTFS-Dateisystem unterstützt Alternate Data Streams, um zusätzliche 
Informationen zu einer Datei zu speichern. Auch Schädlinge können sich in 
solchen Streams verstecken. Anderthalb Jahre nach dem ersten ADS-Test von 18 
Virenscannern erkennen aber immer noch nicht alle Produkte Malware in ADS 
zuverlässig.
<http://www.heise.de/security/artikel/74641>


cheers,
Andreas Marx
CEO, AV-Test.org

<http://www.av-test.org>

______________________________________________________________________
XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club!            
Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130