lolloj - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

AVGater abuses antivirus software for local system takeover

A new proof-of-concept exploit, called AVGater, has found a way to abuse antivirus quarantines to attack systems and gain full control.

Security researchers described a proof-of-concept exploit that affects multiple antivirus products and can lead to a full system takeover.

Florian Bogner, a security researcher based in Vienna, disclosed the issue and named it AVGater, because, as Bogner wrote in his blog post, "every new vulnerability needs its own name and logo."

Bogner said AVGater works by "manipulating the restore process from the virus quarantine."

"By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations," Bogner wrote in his blog post. "By restoring the previously quarantined file, the SYSTEM permissions of the AV Windows user mode service are misused, and the malicious library is placed in a folder where the currently signed in user is unable to write to under normal conditions."

According to Bogner, he disclosed the AVGater vulnerability to Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software, and all of those vendors have released patches for affected products.

Bogner did not specifically mention Symantec or McAfee in his post, and neither company responded to questions at the time of this article.

Bogner suggested that keeping software up-to-date is a good way to mitigate the risk of AVGater, but also noted there are limitations to the exploit.

"As AVGater can only be exploited if the user is allowed to restore previously quarantined files, I recommend everyone within a corporate environment to block normal users from restoring identified threats," Bogner wrote. "This is wise in any way."

Hackers are relentless and will inevitably find clever ways to bypass perimeter security.
Satya Guptafounder and CTO at Virsec

Satya Gupta, founder and CTO at Virsec Systems, an application threat software company based in San Jose, Calif., said AVGater is yet another way an attacker could manipulate "legitimate processes to launch malicious code or scripts."

"It's also another nail in the coffin for conventional signature-based antivirus solutions. We've known for a while that fileless and memory-based exploits fly under the radar of most AV systems, but now hackers can use AV tools to essentially disable themselves," Gupta told SearchSecurity. "Hackers are relentless and will inevitably find clever ways to bypass perimeter security. The battle has to move to protecting the integrity of applications for process and memory exploits."

Next Steps

Learn more about behavioral detection of antivirus.

Find out more about enterprise risks from vulnerabilities in antivirus tools.

Get info on a Windows Defender bug that led to remote exploits.

Dig Deeper on Emerging cyberattacks and threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think of antivirus products? Can they still be a viable part of a security setup?
Cancel
Like Bogner indicated this is very interesting but not groundbreaking and not a nail in anyone's coffin. Satya Gupta is just making a shameless plug to push his product which is an AV memory scanner and has little relevance to this vulnerability. If there is a file in the quarantine it has already been identified as malware so the fact that it can escape the quarantine just means that a dangerous file is a little more dangerous than expected and by improving the quarantine release process the issue is resolved. As for the claim of in memory viruses bypassing most antiviruses... I know most 1st tier AV products I know of have protection in layers including an in memory scanners.  
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close