KellyKeeton dot Com v3.0 reverse engineering life

10Nov/080

The More you Know… Antivirus infecting Memory from network Share

By default most major antivirus manufacture (I tested with symantec) will only scanviruses when they read or write to disk.

Meaning that they will not read viruses in memory by default with real time scan.

So, if you load up a binary with a virus on a UNC or map drive in your environmentthat you will then be able to load code into memory and AV cant see. (because youdidn't read from your disk)

Apply the idea to this, take a virus that can stop AV (sality.ae) and run it via windowsUNC on a system with default install. BAM infected, and you have AV installed withnew def’s.

To prevent this you need to scan network drives for viruses, obviously this causesissues with network performance. However could save you until you get rid of a parasite/trojanvirus in your network (or worse) most major vendors have a check-box for this.

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

No trackbacks yet.