> -----Original Message----- > From: Bipin Gautam > Sent: Saturday, August 05, 2006 9:21 AM > Subject: when will AV vendors fix this??? > > to keep things simple, let me give you a situation; > > if there is a directory/file a EVIL_USER is willing to hide from > antivirus scanner all he has to do is fire up a command prompt & run > the command; > > cacls.exe TORJANED_FILE_OR_DIRECTORY_NAME /T /C /P EVIL_USER:R > > > next time EVEN when the administrator starts the antivirus "system > scan" the TORJANED_FILE_OR_DIRECTORY_NAME will be effectively > bypassed as the ownership of the directory is just of the user account > named; EVIL_USER and the antivirus "manual scan" is running just with > the privilage of ADMINISTRATOR> > > by this way a malicious executable can remain hidden in the system > BYPASSING THE SCAN even when the AV scanner is run by administrator!!! But I cannot execute this file, becaus I have no access. If I get access, the anti-virus program will also get access... So I might be able hide something, but I can't do anything. Also, to hide something, I have to bypass the autoprotection... You shouldn't be able to do this... -- Whistl0r
