How AV can open you to attacks that otherwise wouldn’t be possible

Posted on November 10, 2017 by mea

The attack worked first by getting Bogner’s malicious file quarantined by the AV program running on the targeted computer. The pentester then exploited vulnerabilities in the AV programs that allowed unprivileged users to restore the quarantined files. He further abused a Windows feature known as NTFS file junction point to force the restore operation to put his malicious file into a privileged directory of Bogner’s choosing. The technique took advantage of another Windows feature known as Dynamic Link Library search order. With that, Bogner’s malware ran with full privileges.

Source: How AV can open you to attacks that otherwise wouldn’t be possible | Ars Technica

Could antivirus software make your computer less safe?

Posted on July 8, 2016 by mea

Increasingly, attacks focus on social engineering or phishing that lures users onto compromised websites that can steal information or serve ransomware.

Those websites are so short-lived that antivirus software often doesn’t update fast enough to recognize them, Sjouwerman added.

Source: Could antivirus software make your computer less safe?

How to Compromise the Enterprise Endpoint

Posted on June 29, 2016 by mea

Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.

An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.

Source: Project Zero: How to Compromise the Enterprise Endpoint

Trend Micro flaw could have allowed attacker to steal all passwords

Posted on January 12, 2016 by mea

Overall, Ormandy wrote that he found over 70 APIs exposed to the Internet, not all of which he had investigated for security issues. He suggested Trend should hire an external consultancy to audit the code.

Source: Trend Micro flaw could have allowed attacker to steal all passwords

Antivirus software could make your company more vulnerable

Posted on January 10, 2016 by mea

While these are mainly examples of using antivirus vulnerabilities to evade detection, there’s also a demand for remote code execution exploits affecting antivirus products and these are being sold by specialized brokers on the largely unregulated exploit market.

Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status “sold.”

Source: Antivirus software could make your company more vulnerable

AVG, McAfee, Kaspersky Fix Common Vulnerability in Their Antivirus Products

Posted on December 10, 2015 by mea

The security bug relates to the fact that the AVG antivirus creates a memory space with full RWX (read-write-execute) privileges where it normally runs. For that particular version of the AVG antivirus, this memory space was not randomized and was often shared with other applications, like, for example, Acrobat Reader or the enSilo product that collided with the antivirus.

If an attacker knew about the antivirus’ predictable behavior and where this address space was, they could force their malicious code to execute inside that memory address and have the same privileges as the antivirus process (which is system-level).

Source: AVG, McAfee, Kaspersky Fix Common Vulnerability in Their Antivirus Products

Self-repairing software tackles malware

Posted on November 16, 2014 by mea

Unlike a normal virus scanner on consumer PCs that compares a catalog of known viruses to something that has infected the computer, A3 can detect new, unknown viruses or malware automatically by sensing that something is occurring in the computer’s operation that is not correct. It then can stop the virus, approximate a repair for the damaged software code, and then learn to never let that bug enter the machine again.

via Self-repairing software tackles malware — ScienceDaily.

The A3 software is open source, meaning it is free for anyone to use, but Eide believes many of the A3 technologies could be incorporated into commercial products

Download papers from the source: A3 : Flux Research Group

The A3 project applies virtualization, record-and-replay, introspection, repair, and other techniques to develop a customizable container for “advanced adaptive applications.” The A3 container provides its protected application with both innate and adaptive defenses against security threats.

Available Software

Stackdb — a VMI-enabled debugging library for multi-level systems (read the paper; browse the source code; git clone the source repository)
Weir — a streaming language for systems analysis (read the paper; browse the source code; git clone the source repository)
XenTT — a “time-traveling” hypervisor (docs and source code)

Symantec And Security Starlets Say Anti-Virus Is Dead

Posted on May 6, 2014 by mea

“The overall detection by anti-virus software in January was disappointing — only 70.62 percent. For February it is even worse — only 64.77 percent was detected. And in March the average detection was 73.56 percent. That might not sound too bad but it means that 29 percent, 35 percent and 26 percent was not detected,” the company’s report read.

via Symantec And Security Starlets Say Anti-Virus Is Dead.

Dutch police may get right to hack in cyber crime fight

Posted on May 4, 2013 by mea

Under a new bill, investigators would be able to hack into computers, install spyware, read emails and destroy files.

They could also break into servers located abroad, if they were being used to block services.

via BBC News – Dutch police may get right to hack in cyber crime fight.

This is no threat to a properly secured system. AV software is not a panacea for securing a system.

Time To Dump Antivirus As Endpoint Protection?

Posted on April 22, 2013 by mea

1. Abandon antivirus
Businesses could remove host-based security from their desktops and trust that their perimeter will keep out the malware.

via Time To Dump Antivirus As Endpoint Protection? — Dark Reading.

There are some other useful tips in this article as well. I like the above quoted idea because AV software can be a pretty heavy load on an endpoint requiring constant maintenance and upgrade. These upgrade cycles in and of themselves pose a security hazard. The more complex a system becomes, the more that can go wrong.

Bucktown Bell

Cut to the chase.

Tag Archives: anti virus