Author Topic: Security hole in on-access scanner ?  (Read 15543 times)

0 Members and 1 Guest are viewing this topic.

Offline Le Doc

  • Sr. Member
  • ****
  • Posts: 230
  • Computer obey to orders, not to intentions.
    • La Halle online
Re:Security hole in on-access scanner ?
« Reply #30 on: June 13, 2004, 12:55:43 PM »
I found out something really strange !!

I copied the "t├ęst" directory and "eicar.com" file to a NTFS partition and now the on-access scanner detects it. It seems that the problem comes from the FAT32 partitions. I tested all my FAT32 partitions and the eicar was never detected on them (if accents used). It is detected on all NTFS partitions (with or without accents)  ???

vlk, i have windows 2000 SP4 fully patched (french), avast 4.1.412 (french), VPS 0424-3.

Avast HE 4.1.418 (french)
Windows 2000 PRO (french) - SP4 + patches
nforce 2 motherboard (IGP)
AMD 1800+, 512 MB, 160 GB + 40 GB

Offline softwareguy

  • Sr. Member
  • ****
  • Posts: 245
  • WARNING! Worm Found!
Re:Security hole in on-access scanner ?
« Reply #31 on: June 13, 2004, 06:38:29 PM »
Your FAT32 partitions aren't using 8.3 DOS Filenames, right?  :-\
Hmmm....

Avast - Your Worms Extinguisher

Offline Le Doc

  • Sr. Member
  • ****
  • Posts: 230
  • Computer obey to orders, not to intentions.
    • La Halle online
Re:Security hole in on-access scanner ?
« Reply #32 on: June 13, 2004, 11:20:06 PM »
Nop, i can see complete full names.

Avast HE 4.1.418 (french)
Windows 2000 PRO (french) - SP4 + patches
nforce 2 motherboard (IGP)
AMD 1800+, 512 MB, 160 GB + 40 GB

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re:HUGE security hole in on-access scanner
« Reply #33 on: June 14, 2004, 05:14:28 AM »
Also executing a MS-DOS program such as eicar.com is not completely representative -- that's because Windows emulates DOS-mode for the program and doesn't really use non-ANSI characters in that case (because MS-DOS mode is of course not Unicode compliant).

This will happen for sure if you install NAV before in your system.
I can assure that in a DOS window under XP eicar.com won't be caught if you installed NAV before in your system. NAV deny access to other drivers to scan the file.
I suffer a lot because of this. Thanks Kubecj and Vlk I'm here.
I'm very 'happy' to see my first post is still alive. I'm becoming old in this forum  :-\
The best things in life are free.

Offline Le Doc

  • Sr. Member
  • ****
  • Posts: 230
  • Computer obey to orders, not to intentions.
    • La Halle online
Re:Security hole in on-access scanner ?
« Reply #34 on: June 14, 2004, 09:59:04 AM »
No it is not a NAV problem. I received my new 160 GB recently and did a clean new install with avast as the only antivirus software. The others i have are spywareblaster, spywareguard, and kerio PF.

Avast HE 4.1.418 (french)
Windows 2000 PRO (french) - SP4 + patches
nforce 2 motherboard (IGP)
AMD 1800+, 512 MB, 160 GB + 40 GB

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re:Security hole in on-access scanner ?
« Reply #35 on: June 14, 2004, 02:17:40 PM »
No it is not a NAV problem. I received my new 160 GB recently and did a clean new install with avast as the only antivirus software. The others i have are spywareblaster, spywareguard, and kerio PF.

Oops... sorry  :-\
The best things in life are free.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Security hole in on-access scanner ?
« Reply #36 on: June 14, 2004, 02:25:26 PM »
OK it's a minor bug. We've fixed it now.
It's only visible if the following conditions are met:

1. you are executing a MS-DOS based program
2. the program resides on a FAT volume (not NTFS)
3. the path name of the program contains at least one non-English character (more precisely, a character thas is above 128 in the ASCII table).


Thanks for pointing this out, Le Doc. Given the 3 points above I wouldn't call this too serious but yeah, it was a bug.

Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Le Doc

  • Sr. Member
  • ****
  • Posts: 230
  • Computer obey to orders, not to intentions.
    • La Halle online
Re:Security hole in on-access scanner ?
« Reply #37 on: June 14, 2004, 02:27:24 PM »
Your help is welcomed technical, you don't have to be sorry for a wrong clue.  ;)

Avast HE 4.1.418 (french)
Windows 2000 PRO (french) - SP4 + patches
nforce 2 motherboard (IGP)
AMD 1800+, 512 MB, 160 GB + 40 GB

Offline Le Doc

  • Sr. Member
  • ****
  • Posts: 230
  • Computer obey to orders, not to intentions.
    • La Halle online
Re:Security hole in on-access scanner ?
« Reply #38 on: June 14, 2004, 02:46:21 PM »
OK it's a minor bug. We've fixed it now.
It's only visible if the following conditions are met:

1. you are executing a MS-DOS based program
2. the program resides on a FAT volume (not NTFS)
3. the path name of the program contains at least one non-English character (more precisely, a character thas is above 128 in the ASCII table).


Thanks for pointing this out, Le Doc. Given the 3 points above I wouldn't call this too serious but yeah, it was a bug.

Vlk

Foooo, i'm so happy i discovered that one !! Not an easy one to discover eh, 3 conditions to meet  ;)

So i think i really deserve a medal (at least i deserve my pseudo)  ;D

So if i understand well, the security issue is only for DOS viruses getting on FAT partition. Right ? No worries about Windows viruses ?

Last question, when do you plan to release the fix ?

Avast HE 4.1.418 (french)
Windows 2000 PRO (french) - SP4 + patches
nforce 2 motherboard (IGP)
AMD 1800+, 512 MB, 160 GB + 40 GB

Offline Le Doc

  • Sr. Member
  • ****
  • Posts: 230
  • Computer obey to orders, not to intentions.
    • La Halle online
Re:Security hole in on-access scanner ?
« Reply #39 on: June 14, 2004, 02:51:05 PM »
Just another stupid question :

Why not give a bug the name of the discoverer ? (like for stars, planets...)   :P

This one should be the "Le Doc Bug" in the release history   ;D

Avast HE 4.1.418 (french)
Windows 2000 PRO (french) - SP4 + patches
nforce 2 motherboard (IGP)
AMD 1800+, 512 MB, 160 GB + 40 GB