A security researcher discovered a major vulnerability called AVGater that is common to many popular antivirus...
products. What is the AVGater vulnerability and what is the risk? Are antivirus products more trouble than they're worth?
The information security community -- and attackers -- often scrutinize and dissect antivirus products and makers for fun, reminding us that there are no silver bullets for information security problems. As a community, we need to continue to critically evaluate how we use our security tools and how we ensure that they are managed in the same way as any other piece of software. This will ensure that the potential value these products offer is necessary to protect enterprises.
Florian Bogner, a security researcher based in Austria, found the AVGator vulnerability in several antivirus products and tools that could be used as part of a targeted attack to completely compromise an endpoint.
The AVGater vulnerability works by using the legitimate restore functionality -- accessible to unprivileged users -- to restore malicious files in a system directory. The privileged process then loads the malware in the same way a dynamic link library (DLL) is loaded, giving the attacker control over the system.
The AVGater vulnerability relies on DLL preloading techniques to avoid detection, and it will probably not be the last attack to use it. The AVGater vulnerability is low-risk because it requires users to take several manual steps. However, as McAfee notes in its guidance on AVGater, users can be tricked into taking steps against their best interests -- resulting in a higher risk of targeted attacks.
Antimalware software, or similar system security monitoring software, is absolutely critical to protect endpoints. While the question of whether signature antivirus is worth the money is still relevant, newer security tools, such as whitelisting, are emerging, and they reduce the need for endpoint antimalware tools that protect against this type of attack. Regardless of the tool in use, it will need standard care and feeding to keep it updated.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.