Author Topic: Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System  (Read 800 times)

Offline Felipe Oliveira

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 479
  • Brazilian / Medicine Student / Love Technology
Several antivirus products are affected by a design flaw that allows malware or a local attacker to abuse the "restore from quarantine" feature to send previously detected malware to sensitive areas of the user's operating system, helping the malware gain boot persistence with elevated privileges.

Florian Bogner, a security auditor at Kapsch, an Austrian cyber-security company, discovered the flaw, which he's keeping track under the codename of AVGater.

Some antivirus vendors issued updates

Quote
Bogner says he notified all antivirus makers that he tested and found vulnerable. Today, the researcher published his findings after some companies issued updates.

The list includes Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Ikarus, and Zone Alarm by Check Point.

He says other companies will release fixes in the coming days, and that he doesn't rule out that other AV engines that he did not test may also be vulnerable.

Source: https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/



Is COMODO protected against this flaw?

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3759
Re: Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System
« Reply #1 on: November 11, 2017, 06:47:44 PM »
Seeing that it pretty much requires physical local access it really doesn't matter as you can do way more when you have physical access. Also if you set the password under general settings > user interface, you would need to enter the password to open the view quarantine task.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System
« Reply #2 on: November 11, 2017, 06:59:42 PM »
Seeing that it pretty much requires physical local access it really doesn't matter as you can do way more when you have physical access. Also if you set the password under general settings > user interface, you would need to enter the password to open the view quarantine task.

at Futuretech , you have unintentionally "stolen" my answer !  ;)  :)

With activated user password and activated autosandbox ( containment ) , it is also "impossible" to load an unknown ( untrusted ) file on the computer , because a password is needed to get the file out of the sandbox , even if you are not at the computer and even if the attacker has physical access .  Moreover , it is "not possible" to uninstall CIS and that all certainly also applies to CCAV , CAV and CFW . So to set a user password should be standard for everyone ! It just brings much more security . A definitely underrated safety feature !!!

Another very simple solution would be and that applies to all anti-virus programs and as long as these option exist , don't isolate the files or manually delete them after being moved . If nothing is there to restore , then nothing can be restored , to places where it should not be restored .  ;)
« Last Edit: November 11, 2017, 08:28:48 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek