Author Topic: New shutdown vulnerability  (Read 7208 times)

0 Members and 1 Guest are viewing this topic.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11818
    • AVAST Software
Re: New shutdown vulnerability
« Reply #15 on: September 20, 2009, 04:13:19 PM »
Well, can you execute the eicar file?

spg SCOTT

  • Guest
Re: New shutdown vulnerability
« Reply #16 on: September 20, 2009, 04:15:14 PM »
I think you missed the point, it is blocked if something tries to execute it.
(at least that is how I read it)

igor,

What about the standard shield 'scan created/modified files'? should this not catch it?

oops, missed igor's post ;)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11818
    • AVAST Software
Re: New shutdown vulnerability
« Reply #17 on: September 20, 2009, 04:19:32 PM »
Scanning created/modified files is "on close" - so even if ashDisp.exe is running and avast! is able to ask, it asks after the file is created (or infected), i.e. when the malware is already on disk.
Here, it can't ask, so it doesn't do anything.

Silent mode could work as well... don't know.

spg SCOTT

  • Guest
Re: New shutdown vulnerability
« Reply #18 on: September 20, 2009, 04:25:16 PM »
Scanning created/modified files is "on close" - so even if ashDisp.exe is running and avast! is able to ask, it asks after the file is created (or infected), i.e. when the malware is already on disk.
Here, it can't ask, so it doesn't do anything.

Silent mode could work as well... don't know.


So that setting requires ashDisp?
Is that right?
It is still caught by other methods when executed though.


Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9407
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: New shutdown vulnerability
« Reply #19 on: September 20, 2009, 04:34:22 PM »
avast! "doesn't do anything". But can you execute EICAR? If file is left on disk, that doesn't mean avast! didn't prevent its execution. The execution was blocked, the file was just not deleted/quarantined. Thats all. So in the end avast! did detect the file, but since it's graphic user interface was terminated it just blocked the file and finishes at that. If GUI was available, it would have asked the user what do to with the file. So bottom line, i don't see this as vulnerability. Unless you can get the malware to execute when ashDisp.exe is terminated.
Visit my webpage Angry Sheep Blog

jaikrishna

  • Guest
Re: New shutdown vulnerability
« Reply #20 on: September 22, 2009, 04:12:04 AM »
Yes, the EICAR file can be executed. It opens command prompt and does something, then exits. ???