NAV 4.0 running on NT successfully detects the EICAR test file even if it's residing in RECYCLED. -- Brock Sides Unix Systems Administration Towery Publishing bsidesat_private On Sun, 30 Jan 2000, Neil Bortnak wrote: > 1.Background > ------------ > > Under Win95/98 the Recycle Bin is a system designed to make it easy for > users to "undelete" files. When a user deletes from the GUI, the file is > not really deleted but moved to a folder named "RECYCLED" located at the > root of that volume. If the folder does not exist, possibly because > nothing has ever been deleted on that volume, the directory is created. > The file is then renamed and information about the file's original name > and location are stored in an index file. When you look at the recycle > bin through the GUI, Windows reads the index files from each volume and > displays their contents. It does not display a raw directory listing. > You cannot easily access a raw directory listing through the GUI. When > you empty the recycle bin, Windows deletes all of the files in the > RECYCLED directories that have a corresponding entry in one of the > indexes. Therefore a file stored in a RECYCLED directory via DOS or a > program will not show up anywhere in the GUI and will not be deleted > when you empty the Recycle Bin. [snip] > 4. Notes on NT > -------------- > > The exploit works great under NT. The anti-virus folk make the same > exclusions with NT checkers, presumably to deal with dual boot systems. > NT's default permissions allow this to work even when the machine is not > dual boot and has NTFS on all drives because EVERYONE can create > directories at the root. Just make a \RECYCLED directory and away you > go.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:03 PDT