Andreas Marx wrote:
> At 22:35 07.08.2006, Paul Schmehl wrote:
>
> [...]
>> This is similar to the problem of alternative data streams. Essentially, the work needed to solve this problem isn't worth the expenditure of time and effort, because the file, in order to infect the system, has to be executed. Once the file is executed "normal" on-access scanning will catch the exploit *if* it is known. (If it's unknown, it doesn't matter anyway.) Yes, on-demand scanning won't "see" the file, but even malicious files are benign until they are run.
> [...]
>
> No, that's not the case. On-Access scanner *might* be able to catch the malware (if it's a known variant), but it could be that the scanner is missing the file, depending on it's implementation. The same applies to the On-Demand scanner: it might or might not detect it, even if the *known* malware can still run on a system, as many tricks exists to get the file executed. Here are two articles showing this with ADS, including some test results:
>
You've got my curiosity now. Are you saying that no AV product will
"see" exploit once it enters memory? Granted, that's one step further
than on-access, but I thought that all AV products (now) were looking at
memory for file accesses.

--
Paul Schmehl (pauls (at) utdallas (dot) edu [email concealed])
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?N0?Ø0?A 
Aì=§?ÄöÕÝÑe0
 *?H?÷


0Á10 UUS10U
VeriSign, Inc.1<0:U3Class 2 Public Primary Certification Authority - G21:08U1(c) 1998 VeriSign, Inc. - For authorized use only10UVeriSign Trust Network0
990331000000Z
090330235959Z0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0?0
 *?H?÷



0?¿êï?ë
Áù"ÁÑÁÌÛzÚ¾6Òp`0`åàS/5ôɨ)ÖÞ=ó?d}¾Ñ?Tx?ÿ¢xñû?«Ãü?LÂIA
áÀÒ¥×ü~ÿBQNtó
Õhs¥]1øæ)%c¨#?Dj?°9ñïÛFXú¸ÏKózÁ¢I??#Cº?2?

£¥0¢0
)U"0 ¤010UPrivateLabel1-1400 `?H
?øB


0DU =0;09`?H
?øE


0*0(+

https://www.verisign.com/RPA0U
0

ÿ
0U
0
 *?H?÷


S µÜ²¶?Ñ P?É8yÜȲI¿¸S?o?̲äz|ü£è_a^_??ZÒ?
"ñ¼íñT¶T¦T¡T¼iÇ!7¢?9?§¬ ?è?]?
H9Y?$ C¼??Ü?táæã¾j¤?11#%?¯º,Q?Y¦£?Ò´ÎT0?s0?Ü 
0?8âöØúÇ'Æ?EÐÀ0
 *?H?÷


0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0
060721000000Z
070721235959Z0ô1'0%U
The University of Texas System1-0+U$The University of Texas at Dallas CA1F0DU=www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910UMail Stop - UTD10UPaul Schmehl1!0 *?H?÷


pauls (at) utdallas (dot) edu0 [email concealed]?0
 *?H?÷



0?«P? L;帽?¿ÿN?C4ÓÝj¿©DQ?BùTÍn?"Î?æQ?#Ç>ª¯DéÙ2+Ù³¤±E:
??¸z??8?ù"Ö"è½ÎpXµX
 ?±ù
â$¶3\?
­Z?³µ%÷öÍïn;õv»¢èwfcÅ?í¡b?F?¥

£?0?0 U00U0pauls (at) utdallas (dot) edu0 [email concealed]?
$U ?
0?
0?
`?H
?øE

0?
0++

https://www.verisign.com/rpa-
kr0Ò+
0ÅÂNOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr (c)99.0 `?H
?øB

?0uUn0l0j h f?dhttp://onsitecrl.verisign.com/TheUnive
rsityofTexasSystemTheUniversityofTexasatDallasCA/LatestCRL.crl0U
 0U%0+
+
0
 *?H?÷


5ð·
ku¶ºCO\ê¹ïG?ìEzBü?³^¬À?÷¥2üë&Ö?JFâ ?ЪuPPé̲ù+Ê%?ÝÌ&©mT¼¶¦ûÇh
?û¦°}ò?Í?Q??©°ú+büWýè÷ÅÏqXXJȨ¯ÆV6UÕ!ת ¸0?÷0?` 
G@±-
¸ñ? µ_=c0
 *?H?÷


0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0
060721000000Z
070721235959Z0ô1'0%U
The University of Texas System1-0+U$The University of Texas at Dallas CA1F0DU=www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)9910UMail Stop - UTD10UPaul Schmehl1!0 *?H?÷


pauls (at) utdallas (dot) edu0 [email concealed]?
"0
 *?H?÷



?
0?

?

¸lðíSvN½Ùê7·a_^
¬e7@Ëm#¼eþqb?fjl2íO'©?·R?,ǹàg<Ò?©÷SÒ?0Âò?}F,¾hzÒÄlþ?NrÔFæÊ?x¬ÖìlÀPe§Û9TS¢$ú?
1Ǥà=?¿:.ãnáÆè×iü¬£ÎJÜ®¢md)?1¼ÖtÁé'?¼áfm8Z?É?«±§P?\/(=&ü?h<|Q?
ýqºBâë&à?ìÅâ§P¡Çv)cfÉO>¥ ó96S)Çtä?ÉU_õp\?ý´óßZ?
ÝÙI]®ñK?e??zc¯Æ·!ÐÓ

£?0?0 U00U0pauls (at) utdallas (dot) edu0 [email concealed]?
$U ?
0?
0?
`?H
?øE

0?
0++

https://www.verisign.com/rpa-
kr0Ò+
0ÅÂNOTICE: Private key may be recovered by VeriSign's customer who may be able to decrypt messages you send to certificate holder. Use is subject to terms at https://www.verisign.com/rpa-kr (c)99.0 `?H
?øB

?0uUn0l0j h f?dhttp://onsitecrl.verisign.com/TheUnive
rsityofTexasSystemTheUniversityofTexasatDallasCA/LatestCRL.crl0U
?0U%0+
+
0
 *?H?÷


=Pjcrª?:%ºs#NèÜ?EÈÈ´RB֐Ó)'ÖW¥ÉTѹ?v>Ï!É?og<\ê/¦?
ò?fb¸h¯!¦Â`úØ???õ?/)#ìD??»»3ø?J´Í}ÌÀ36'3?u?zÝ?¯©bn?Ku9¤ô|
MG1?0?

0ÿ0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CAG@±-¸ñ? µ_=c0 + ?Ý0 *?H?÷

1 *?H?÷


0 *?H?÷

1
060814203315Z0# *?H?÷

1ôøCw¦0ªl8?@?V)¢=¿Ú0R *?H?÷

1E0C0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0?
 +

?71?
0ÿ0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0?8âöØúÇ'Æ?EÐÀ0?
*?H?÷

1?
 ÿ0ê1'0%U
The University of Texas System10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)991200U)Class 2 CA - OnSite Individual Subscriber1-0+U$The University of Texas at Dallas CA0?8âöØúÇ'Æ?EÐÀ0
 *?H?÷



?
°¾&'yðâ±Ê;@ÕÈñ«m¬ÓJ/,=e?{?dñkÖ?F^Wæ×O8
??×òÅ
àÇ?z3A?Ù ?Q×á6£Ç?d(k§·6uÁw?ßñAtOFÙÿ5JÁnª\Éõ*??=ó??á
R?A>ÿJco]?¼
´qdV®jÏ2?Õÿ[³uÏ Ú?+ÄvÂ?5þë0?c Æ?Ç|:?÷HØkK?°ÉK?ñ¯§êØub8Ü 25«±¼M^?FF??ðÖké±*?/íô«?,ÚÃMÓÚìÂÓ?Jôí§ 2h?Òíáë9?=?å«_Àz

[ reply ]