An antivirus vulnerability which can be found in several commonly used solutions may allow hackers to bypass all usual means to gain control of your file system. This announcement follows a discovery by security consultant Florian Bogner.
He said that the software is able to exploit a user’s antivirus by allowing malware to escape quarantine. This then allows potentially dangerous viruses to infect your system.
The vulnerability is known as AVGater. In a blog post last week, Bogner detailed his findings, stating that the flaw abuses the quarantine features in various antivirus software.
The quarantine feature is a fundamental capability sold with most security packages. The moment a user’s antivirus software become aware of a new threat on any device on which it is installed, it will place the threat into quarantine. This will prevent the threat from operating and also prevent the threat from accessing sensitive system information.
Once in quarantine, the malware is not automatically deleted. This is because in some cases a threat has falsely been detected and the file is required to carry out investigations. If a user needs the file, it can easily be restored to the computer and the antivirus will then remove it from quarantine.
By allowing malware to restore itself to anywhere on an infected computer, AVGater exploits the quarantine system. It does this by abusing certain permissions which were assigned to the antivirus software and therefore lets the quarantined threats escape.These threats then regain their full functionality. AVGater then uses this opportunity to drop malicious malware into sensitive folders on your computer.
According to Bogner, AVGater can be used to restore any previously quarantined file. It can then be placed into any random system file location. He said that this is only possible because the quarantine restores process is more often than not carried out in the AV windows user mode. This means that ACL’s can be bypassed.
This latest attack, however, has one huge weakness that may limit its feasibility. According to Bogner, the user logged in must be able to restore quarantined files for AVGater to be successful. It is, therefore, essential for enterprise environments to block regular users from being able to recover quarantined files. This will minimise the risk of AVGater.
After his discovery of AVGater, Bogner was able to reproduce the attack in products from well-known antivirus software production companies. These include Malwarebytes, Trend Micro, Kaspersky Lab, Ikarus, and Zone Lab. Top providers which were alerted have already released preventative patches for their products. Other unnamed vendors are still working on solutions which will be released in the next few days. It is advised that users install updates as soon as receiving notifications to do so to prevent attacks.