At 22:35 07.08.2006, Paul Schmehl wrote: [...] > This is similar to the problem of alternative data streams. Essentially, the > work needed to solve this problem isn't worth the expenditure of time and > effort, because the file, in order to infect the system, has to be executed. > Once the file is executed "normal" on-access scanning will catch the exploit > *if* it is known. (If it's unknown, it doesn't matter anyway.) Yes, > on-demand scanning won't "see" the file, but even malicious files are benign > until they are run. [...]
No, that's not the case. On-Access scanner *might* be able to catch the malware (if it's a known variant), but it could be that the scanner is missing the file, depending on it's implementation. The same applies to the On-Demand scanner: it might or might not detect it, even if the *known* malware can still run on a system, as many tricks exists to get the file executed. Here are two articles showing this with ADS, including some test results: Dangers from the Twilight Zone | Alternate Data Streams can still be hiding places for malware Microsoft's NTFS file system supports Alternate Data Streams to store additional information about a file. Malware can lurk in such streams. Nonetheless, a year and a half after the first ADS test of 18 virus scanners still not all of them reliably detect malware in ADS. [...] <http://www.heise-security.co.uk/articles/74892> Gefahr aus der Schattenwelt, Teil 2 | Alternate Data Streams als Versteck für Schädlinge Microsofts NTFS-Dateisystem unterstützt Alternate Data Streams, um zusätzliche Informationen zu einer Datei zu speichern. Auch Schädlinge können sich in solchen Streams verstecken. Anderthalb Jahre nach dem ersten ADS-Test von 18 Virenscannern erkennen aber immer noch nicht alle Produkte Malware in ADS zuverlässig. <http://www.heise.de/security/artikel/74641> cheers, Andreas Marx CEO, AV-Test.org <http://www.av-test.org> ______________________________________________________________________ XXL-Speicher, PC-Virenschutz, Spartarife & mehr: Nur im WEB.DE Club! Jetzt gratis testen! http://freemail.web.de/home/landingpad/?mc=021130
