On Sat, 5 Aug 2006 13:05:56 +0545 Bipin Gautam wrote: > if there is a directory/file a EVIL_USER is willing to hide from > antivirus scanner all he has to do is fire up a command prompt & run > the command; > > cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R Too simple - access is really denied to every user except evil_user in this case - even to Administrators *and* SYSTEM. The only way to read this file without resetting the CALs would go through the backup API of Windows. > SOLUTION: > AV already running with administrative privilage if the system > administrator is starting manual scan, so what does AV should do is > excelate its (manual scan) OF THE ANTIVIRUS SCANNER ENGINE/DRIVER (not > the GUI) privilage to SYSTEM Won't help. They really would need to rewrite their products to use the backup API for file reading. This may have other implications I am not aware of. > And one more thing, if during AV scan if a file can't be opened due to > some processes LOCKING the file.... Instead of going through the > regular file open process AV should instead directly read the SECTORS > of the hdd This might seem to be a bright idea at first, however, there are problems with this approach. For one, the AV system would have to interpret the filesystem on its own. Since NTFS is not documented and pretty complicated, this is an error-prone task and I have no confidence AV vendors might be able to master it correctly. Then, even if you are able to read sectors (a non-trivial task under Windows as well), a file is usually not locked without reason - it will likely undergo some changes even *during the scan* so the results will be mostly useless. What you'd use instead is the Volume Shadow Copy (aka Snapshot) feature as done with various backup applications. > am i clear??? Discussions, welcome! Implementing your suggestions (or "my" variations thereof) would mean putting a lot of effort into implementation of an intrinsically broken and useless idea of "malware scanners as a security measure". I've already done some posting to bugtraq and full-disclosure on this topic which I won't like to repeat here - check the archives if you're interested. -- Denis Jedig syneticon networks GbR http://syneticon.net/service/