Andreas Marx wrote:
You've got my curiosity now. Are you saying that no AV product will "see" exploit once it enters memory? Granted, that's one step further than on-access, but I thought that all AV products (now) were looking at memory for file accesses.At 22:35 07.08.2006, Paul Schmehl wrote: [...]This is similar to the problem of alternative data streams. Essentially, the work needed to solve this problem isn't worth the expenditure of time and effort, because the file, in order to infect the system, has to be executed. Once the file is executed "normal" on-access scanning will catch the exploit *if* it is known. (If it's unknown, it doesn't matter anyway.) Yes, on-demand scanning won't "see" the file, but even malicious files are benign until they are run.[...] No, that's not the case. On-Access scanner *might* be able to catch the malware (if it's a known variant), but it could be that the scanner is missing the file, depending on it's implementation. The same applies to the On-Demand scanner: it might or might not detect it, even if the *known* malware can still run on a system, as many tricks exists to get the file executed. Here are two articles showing this with ADS, including some test results:
-- Paul Schmehl (pauls@xxxxxxxxxxxx) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature