Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System

Discussion in 'other anti-virus software' started by anon, Nov 10, 2017.

  1. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,970
    Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System
    https://www.bleepingcomputer.com/ne...elps-malware-sink-its-teeth-into-your-system/
    ----------
    #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine
    https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Pen testers getting more creative with each passing day. Also one could argue that this bypass is facilitated by the ever present Window's DLL search order hijacking vulnerability:
    https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine
     
  3. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,097
    Qihoo 360 does not allow a restore from Quarantine if the user is not an admin.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    That's a clever way to exploit AV's SYSTEM privilege.
     
  5. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    AV vendors should add a password protection to restore a file from quarantine
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Actually some do. Eset does but it applies to all GUI access.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Neither
    Also I'd like to say that ESET is not vulnerable. The vulnerability being discussed here was discovered internally a long time ago and fixed in all ESET's products via a regular module update.
     
  8. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,360
    Nothing new, every software is a security risk. :geek: I will never use an Antivirus with autodelete because a false positive could destroy your system - I got about 50 false positives in the last years but no real infection.
     
  9. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    #AVGater vulnerability does not affect Windows Defender Antivirus.
    Link : https://blogs.technet.microsoft.com...y-does-not-affect-windows-defender-antivirus/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.