<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Re: when will AV vendors fix this???



Andreas Marx wrote:
At 22:35 07.08.2006, Paul Schmehl wrote:

[...]
This is similar to the problem of alternative data streams. Essentially, the work needed to solve 
this problem isn't worth the expenditure of time and effort, because the file, in order to infect 
the system, has to be executed.  Once the file is executed "normal" on-access scanning 
will catch the exploit *if* it is known.  (If it's unknown, it doesn't matter anyway.)  Yes, 
on-demand scanning won't "see" the file, but even malicious files are benign until they 
are run.
[...]

No, that's not the case. On-Access scanner *might* be able to catch the malware 
(if it's a known variant), but it could be that the scanner is missing the 
file, depending on it's implementation. The same applies to the On-Demand 
scanner: it might or might not detect it, even if the *known* malware can still 
run on a system, as many tricks exists to get the file executed. Here are two 
articles showing this with ADS, including some test results:

You've got my curiosity now. Are you saying that no AV product will "see" exploit once it enters memory? Granted, that's one step further than on-access, but I thought that all AV products (now) were looking at memory for file accesses.

--
Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature