I understand your point; but I'm struggling to see how this could be weaponized. Keep in mind, that these Dos compatible drive letters need to map to a real NT path endpoint (e.g. a drive/volume); so it isn't clear how the malware could both have a difficult to scan Dos tree while also not exposing that same area elsewhere for trivial scanning.

I'm betting there's some badly written AV software out there which will crash on non-standard drive letters, allowing at least a bit of mayhem.

Not sure if it is natively supported, but the malware can just decrypt a disk image to RAM and create a RAM disk mounted to +. Or it can maybe have a user space driver for a loop device, so the sectors of the drive are only decrypted on the fly.

It would likely break a lot of analysis tools and just generally make things very difficult.

The recovery partition might work if it exists.

> This all sounds like a wonderful way to write some truly annoying malware.

AFAIK you need admin priviledges to play with drives in Windows.

Wait until your learn about Alternate Data Streams…

Decent writeup from CS with that evasion method described -

https://www.crowdstrike.com/en-us/blog/anatomy-of-alpha-spid...

They had their use when running Services for Macintosh.

They're still actively used to apply the Mark of the Web to indicate a file has been downloaded from an untrusted zone and should be handled with caution. I believe macOS also applies similar metadata.

There are a few other places where they also show up, but the MotW is the most prevalent one I've found. Most antivirus programs will warn you for unusual alternate data streams regardless of what they contain.

macOS uses extended attributes (can be manipulated with xattr).

ADS was originally designed to support the HFS resource fork.