Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System

Discussion in 'other anti-virus software' started by anon, Nov 10, 2017.

  1. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,961
    Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System
    https://www.bleepingcomputer.com/ne...elps-malware-sink-its-teeth-into-your-system/
    ----------
    #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine
    https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,366
    Location:
    U.S.A.
    Pen testers getting more creative with each passing day. Also one could argue that this bypass is facilitated by the ever present Window's DLL search order hijacking vulnerability:
    https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine
     
  3. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,081
    Qihoo 360 does not allow a restore from Quarantine if the user is not an admin.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,351
    Location:
    EU • SLO
    That's a clever way to exploit AV's SYSTEM privilege.
     
  5. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    409
    Location:
    Italy
    AV vendors should add a password protection to restore a file from quarantine
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,366
    Location:
    U.S.A.
    Actually some do. Eset does but it applies to all GUI access.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,401
    Neither
    Also I'd like to say that ESET is not vulnerable. The vulnerability being discussed here was discovered internally a long time ago and fixed in all ESET's products via a regular module update.
     
  8. fmon

    fmon formerly: Impet

    Joined:
    May 5, 2013
    Posts:
    1,137
    Nothing new, every software is a security risk. :geek: I will never use an Antivirus with autodelete because a false positive could destroy your system - I got about 50 false positives in the last years but no real infection.
     
  9. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    403
    #AVGater vulnerability does not affect Windows Defender Antivirus.
    Link : https://blogs.technet.microsoft.com...y-does-not-affect-windows-defender-antivirus/
     
Loading...