Vigil@nce: Avast, F-Prot, virus not detected on NTFS
November 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker which can upload a virus on a NTFS partition can
change its permissions, so it is still executable, but it is not
detected by the antivirus.
– Severity: 1/4
– Creation date: 07/11/2011
IMPACTED PRODUCTS
– Avast Antivirus
– F-PROT Antivirus
DESCRIPTION OF THE VULNERABILITY
A NTFS partitions can be used to set the following permissions on
a file:
– "Execute File" : permission to execute the file
– "Read" : permission to read the file
When a file has the "Execute File" permission, and does not have
the "Read" permission, some antivirus software do not analyze it,
and thus do not detect if they contain a virus. It can be noted
that the initial storage of the file, before its permission
change, is detected by the antivirus.
An attacker which can upload a virus on a NTFS partition can
therefore change its permissions, so it is still executable, but
it is not detected by the antivirus.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Avast-F-Prot-virus-not-detected-on-NTFS-11128