Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
AV in Firefox.
Posted by: rvdh
Date: January 11, 2009 05:17AM

Anyone tried to bypass it yet? I was planning to start some research the coming month regarding the AV scanner inside Firefox. Well, it isn't IN Firefox, it actually uses the Windows internal "virus" scanning interfaces, and then it seems to use a default installed AV scanner. The nsDownloadScanner.cpp calls IAttachmentExecute and/or IOfficeAntiVirus.

I can envisage a couple of problems already without knowing all details yet.

Some ideas I just had:


i. If the machine is trojanized already, boot sectors and data restores may already tampered with, which can result in false positives in case of internal
 scanner that uses some sectors for verification. (not sure if that applies to the IAttachmentExecute, but it might?)

ii. race conditions seem plausible, since they call the hook and don't release it
 until the Windows interface spits back a result, whether false, negative or a 
timeout. More research needed here.

iii. If you don't have AV software, the AV scanner from Firefox fails, because it
 cannot scan the file. (I tested this already, and most known virus go by undetected)

The fallacies of the Firefox AV scanner:

i. This gives a false sense of security, because some users might think they don't need a AV scanner anymore, 
because they probably assume that "firefox has one", I am safe now. Obviously, they are not.

ii. If you do not have Office installed, one hook may fail. Yes they call two interfaces, 
but there might be some complications if a trojan/virus installed by MSIE for example can mimic that hook if it's missing.

iii. If you have XPlite for example, most hooks/interfaces are missing, which result in a failed scan.

iv. Too much lag. according to the source the scan is forced to run and finish with a result. (you can disable it in about:config)

Those are my initial ideas about the AV "scanner" in Firefox for now.

Any ideas, suggestions, or research that might be interesting? Please do let me know!

Thanks,

/rvdh



Edited 2 time(s). Last edit at 01/11/2009 05:38AM by rvdh.

Options: ReplyQuote


Sorry, only registered users may post in this forum.