Re: when will AV vendors fix this???
At 22:35 07.08.2006, Paul Schmehl wrote:
[...]
> This is similar to the problem of alternative data streams. Essentially, the
> work needed to solve this problem isn't worth the expenditure of time and
> effort, because the file, in order to infect the system, has to be executed.
> Once the file is executed "normal" on-access scanning will catch the exploit
> *if* it is known. (If it's unknown, it doesn't matter anyway.) Yes,
> on-demand scanning won't "see" the file, but even malicious files are benign
> until they are run.
[...]
No, that's not the case. On-Access scanner *might* be able to catch the malware
(if it's a known variant), but it could be that the scanner is missing the
file, depending on it's implementation. The same applies to the On-Demand
scanner: it might or might not detect it, even if the *known* malware can still
run on a system, as many tricks exists to get the file executed. Here are two
articles showing this with ADS, including some test results:
Dangers from the Twilight Zone | Alternate Data Streams can still be hiding
places for malware
Microsoft's NTFS file system supports Alternate Data Streams to store
additional information about a file. Malware can lurk in such streams.
Nonetheless, a year and a half after the first ADS test of 18 virus scanners
still not all of them reliably detect malware in ADS. [...]
<http://www.heise-security.co.uk/articles/74892>
Gefahr aus der Schattenwelt, Teil 2 | Alternate Data Streams als Versteck für
Schädlinge
Microsofts NTFS-Dateisystem unterstützt Alternate Data Streams, um zusätzliche
Informationen zu einer Datei zu speichern. Auch Schädlinge können sich in
solchen Streams verstecken. Anderthalb Jahre nach dem ersten ADS-Test von 18
Virenscannern erkennen aber immer noch nicht alle Produkte Malware in ADS
zuverlässig.
<http://www.heise.de/security/artikel/74641>
cheers,
Andreas Marx
CEO, AV-Test.org
<http://www.av-test.org>
______________________________________________________________________
XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club!
Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130