[Full-disclosure] Re: when will AV vendors fix this???
...
massimo at grandmedia.si
Sun Aug 6 23:11:46 BST 2006
good idea indeed and, since ntfs drivers are available for linux for a long
time now, someone really willing to fix the issue could start there...
----- Original Message -----
From: "Denis Jedig" <seclists at syneticon.de>
To: <full-disclosure at lists.grok.org.uk>
Cc: <bugtraq at securityfocus.com>
Sent: Saturday, August 05, 2006 10:35 AM
Subject: [Full-disclosure] Re: when will AV vendors fix this???
> On Sat, 5 Aug 2006 13:05:56 +0545 Bipin Gautam wrote:
>
--- cut ---
>> And one more thing, if during AV scan if a file can't be opened due to
>> some processes LOCKING the file.... Instead of going through the
>> regular file open process AV should instead directly read the SECTORS
>> of the hdd
>
> This might seem to be a bright idea at first, however, there are problems
> with this approach. For one, the AV system would have to interpret the
> filesystem on its own. Since NTFS is not documented and pretty
> complicated,
> this is an error-prone task and I have no confidence AV vendors might be
> able to master it correctly. Then, even if you are able to read sectors (a
> non-trivial task under Windows as well), a file is usually not locked
> without reason - it will likely undergo some changes even *during the
> scan*
> so the results will be mostly useless. What you'd use instead is the
> Volume
> Shadow Copy (aka Snapshot) feature as done with various backup
> applications.
Full-Disclosure is hosted and sponsored by Secunia.