Dear bipin gautam, Your statements about "all antivirus" and "design fault" are wrong, it's strongly depend on the way manual scanning is implemented in specific product.
1. many antiviral products implement their own kernel driver to access scanned file. For this case permissions have no impact for scanning. 2. many antiviral products use their own daemon, running as SYSTEM, scanner use this daemon to access files. Daemon may acquire SeBackupPrivilege. With backup privilege daemon can bypass ACLs. Same goes to scan with administrator's account. You still can bypass antiviral protection for manual scans with file encryption (on-access scanners may impersonate accessing user). This time file can only be scanned by administrator if administrator is recovery agent. --Saturday, October 2, 2004, 6:37:35 AM, you wrote to [EMAIL PROTECTED]: bg> All Antivirus, Trojan, Spy ware scanner, Nested file bg> manual scan bypass bugs. [Part IV] bg> Risk Level: Medium bg> Affected Product: (Should be) all Antivirus, Trojan, bg> Spy ware scanners for windows. bg> Description: bg> ------------ bg> A malicious code can reside in a computer (with users bg> privilage) bypassing "manual scans" of any bg> Antivirus, Trojan & Spy ware scanners by simply bg> issuing this command to itself. bg> cacls hUNT.exe /T /C /P dumb_user:R bg> ...this is only due to the design fault in Microsoft bg> Windows, the way it handles NTFS permission.By this bg> way... any software’s with even Admin./SYSTEM bg> privilege can't access this file (hUNT.exe) normally bg> because the only person who has normal access to this bg> file is "dumb_user" bg> No wonder, there are several false assumptions in bg> windows security configuration as well, when a JOE bg> administrator could permenantly lock himself up in his bg> own machine. bg> regards, bg> Bipin Gautam bg> http://www.geocities.com/visitbipin bg> Disclaimer: The information in the advisory is bg> believed to be accurate at the time of printing based bg> on currently available information. Use of the bg> information constitutes acceptance for use in an AS IS bg> condition. There are no warranties with regard to this bg> information. Neither the author nor the publisher bg> accepts any liability for any direct, indirect or bg> consequential loss or damage arising from use of, or bg> reliance on this information. bg> __________________________________ bg> Do you Yahoo!? bg> Yahoo! Mail Address AutoComplete - You start. We finish. bg> http://promotions.yahoo.com/new_mail bg> _______________________________________________ bg> Full-Disclosure - We believe in it. bg> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA Неприятности начнутся в восемь. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
