[13695] in bugtraq
Re: Bypass Virus Checking
daemon@ATHENA.MIT.EDU (Kuo, Jimmy)
Thu Feb 3 16:43:28 2000
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <1D4F16D4D695D21186A300A0C9DCF983302248@dns-83-207.dhcp.nai.com>
Date: Wed, 2 Feb 2000 12:15:56 -0800
Reply-To: "Kuo, Jimmy" <Jimmy_Kuo@NAI.COM>
From: "Kuo, Jimmy" <Jimmy_Kuo@NAI.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> >7. Solutions
> >------------
>
> >With McAfee, just go into the exclusions tab and delete the \RECYCLED
> >entry. You do that at your own risk of course, as I have no idea why it
> >was excluded in the first place. As for NAV, I don't really have a good
> >solution that doesn't involve doing creative things with a hex editor or
> >installing software, which is to say that I don't have a good solution.
>
> This series of messages also highlight the need for us to remind people
> what it means to be using an antivirus product in its default mode.
>
> Each company has chosen a specific set of parameters under which it
> believes the average user would be best served. It is a compromise of
> security, functionality, and speed.
>
> With regard to McAfee VirusScan, it is correctly noted that we believe the
> average user would be best served if we do not "waste time" scanning the
> RECYCLED directory. And if a security minded person wishes, he is able to
> easily make the changes he needs to fit his security model.
>
> Of note here also is, a file does not generally just "appear" in the
> RECYCLED directory. It usually existed somewhere else first. The
> antivirus scanner would have caught it there, or would catch it when it is
> moved back out of that directory.
>
> We feel that the current settings are appropriate for the normal user.
> And that people who are more sensitive to this arena are afforded a
> sufficiently easy method to customize to their whim.
>
> Jimmy Kuo
> Director, AV Reseach, NAI Fellow
> McAfee division of Network Associates
