Security hole in on-access scanner ?

[rloschmann]

I found out something really strange !!

I copied the "tést" directory and "eicar.com" file to a NTFS partition and now the on-access scanner detects it. It seems that the problem comes from the FAT32 partitions. I tested all my FAT32 partitions and the eicar was never detected on them (if accents used). It is detected on all NTFS partitions (with or without accents)  

vlk, i have windows 2000 SP4 fully patched (french), avast 4.1.412 (french), VPS 0424-3.

[softwareguy]

Your FAT32 partitions aren't using 8.3 DOS Filenames, right?  
Hmmm....

[rloschmann]

Nop, i can see complete full names.

[Lisandro]

Also executing a MS-DOS program such as eicar.com is not completely representative -- that's because Windows emulates DOS-mode for the program and doesn't really use non-ANSI characters in that case (because MS-DOS mode is of course not Unicode compliant).

This will happen for sure if you install NAV before in your system.
I can assure that in a DOS window under XP eicar.com won't be caught if you installed NAV before in your system. NAV deny access to other drivers to scan the file.
I suffer a lot because of this. Thanks Kubecj and Vlk I'm here.
I'm very 'happy' to see my first post is still alive. I'm becoming old in this forum  

[rloschmann]

No it is not a NAV problem. I received my new 160 GB recently and did a clean new install with avast as the only antivirus software. The others i have are spywareblaster, spywareguard, and kerio PF.

[Lisandro]

No it is not a NAV problem. I received my new 160 GB recently and did a clean new install with avast as the only antivirus software. The others i have are spywareblaster, spywareguard, and kerio PF.

Oops... sorry  

[Vlk]

OK it's a minor bug. We've fixed it now.
It's only visible if the following conditions are met:

1. you are executing a MS-DOS based program
2. the program resides on a FAT volume (not NTFS)
3. the path name of the program contains at least one non-English character (more precisely, a character thas is above 128 in the ASCII table).


Thanks for pointing this out, Le Doc. Given the 3 points above I wouldn't call this too serious but yeah, it was a bug.

Vlk

[rloschmann]

Your help is welcomed technical, you don't have to be sorry for a wrong clue.  

[rloschmann]

OK it's a minor bug. We've fixed it now.
It's only visible if the following conditions are met:

1. you are executing a MS-DOS based program
2. the program resides on a FAT volume (not NTFS)
3. the path name of the program contains at least one non-English character (more precisely, a character thas is above 128 in the ASCII table).


Thanks for pointing this out, Le Doc. Given the 3 points above I wouldn't call this too serious but yeah, it was a bug.

Vlk

Foooo, i'm so happy i discovered that one !! Not an easy one to discover eh, 3 conditions to meet  

So i think i really deserve a medal (at least i deserve my pseudo)  

So if i understand well, the security issue is only for DOS viruses getting on FAT partition. Right ? No worries about Windows viruses ?

Last question, when do you plan to release the fix ?

[rloschmann]

Just another stupid question :

Why not give a bug the name of the discoverer ? (like for stars, planets...)  

This one should be the "Le Doc Bug" in the release history