Categories: Security newsTechnology

Vulnerability in antivirus quarantine allows attacker to release malware

Antivirus software flaw helps spread malware into your system

In today’s computer-dependent society, hackers are a constant threat for all Internet users. Hence, we implement stronger measures such as installing an antivirus program to protect our computers from hackers, malicious software, malware, etc. But what will you do if the vulnerability in your antivirus allows malware to escape quarantine and infect your system? Scary, right?

Florian Bogner, a researcher with security firm Kapsch, has discovered an exploit that takes advantage of antivirus programs. Dubbed as ‘AVGater’, this exploit takes advantage of the ‘restore from quarantine’ feature found on many antivirus programs, wherein the malware is relocated from an AV quarantine folder and stored on to another sensitive location.

For those unaware, quarantine is a secure storage that is used by an antivirus program to place a potentially malicious file detected by it. This feature allows the users to restore files that have been erroneously detected as malware, known as a false positive detection.

Bogner said in blog post that the exploit allows a user to remove a certain entry of malware from the quarantined folder and place it somewhere else on the targeted computer, allowing the malware to be executed. Bogner has also uploaded a video that gives more information on how the exploit works.

As explained in the video, a local attacker can manipulate the antivirus’ scanning engine to bring the malicious file out. Usually, a non-administrator user does not have access to write a file to system folders like ‘Program Files’ or ‘Windows’, but by abusing a windows feature called NTFS file junction point allows the attacker to relay the file to a privileged directory, for instance, a folder within C:\Program Files or C:\Windows.

“AVGater can be used to restore a previously quarantined file to any arbitrary file system location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs [Access Control Lists] can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system,” Bogner explained.

However, in order to execute the attack, the attacker must be physically present at the targeted PC, which is the most significant limitation of AVGater.

Prior to the disclosure of the exploit, Bogner repeated the attack in products of the firms including Kaspersky Lab, Malwarebytes, Trend Micro, Emsisoft, Ikarus and Zonealarm. While all of these providers have already released patches for their products, there are additional unnamed antivirus vendors who are still working on a fix that will be released in the coming days.

Bogner says that users can prevent AVGater by always updating their antivirus products. For enterprises users, he advises not to allow users to restore files from quarantine.

Kavita Iyer

An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human

Recent Posts

  • Explanatory
  • how to

How to Reset Belkin Router to Default Settings (

Well, the word "Belkin Router" reminds us of people having a hard time in logging into the Router's dashboard. But…

3 hours ago
  • News
  • Windows

Microsoft roles out new style Sticky notes 3 for windows 10

If you are a windows user then you must be familiar with their handiest feature of Sticky Notes. This feature really…

7 hours ago
  • The Pirate Bay
  • Torrent

The Pirate Bay May Be Blocked In New Zealand By Sky TV

New Zealand might be the next country to completely block pirated content websites like The Pirate Bay. Sky TV is…

18 hours ago
  • List
  • Top 10

10 Best Free Video Editing Software In 2018

If you are looking for a free video editing software that has easy to use user interface and great features.…

2 days ago
  • how to
  • Windows

Windows 10 Compatibility Checker- Test If Your PC Can Run It (Working 2018)

Microsoft claims that Windows 10 has more than 700million active users, this makes Windows 10 the most popular computer operating…

3 days ago
  • Gadgets
  • News

Facebook’s “Portal video” chat device could launch next week

Portal: Facebook’s own Alexa-powered video chat device to launch next week Facebook is all set to unveil its first video…

3 days ago