Vulnerability in antivirus quarantine allows attacker to release malware

Antivirus software flaw helps spread malware into your system

In today’s computer-dependent society, hackers are a constant threat for all Internet users. Hence, we implement stronger measures such as installing an antivirus program to protect our computers from hackers, malicious software, malware, etc. But what will you do if the vulnerability in your antivirus allows malware to escape quarantine and infect your system? Scary, right?

Florian Bogner, a researcher with security firm Kapsch, has discovered an exploit that takes advantage of antivirus programs. Dubbed as ‘AVGater’, this exploit takes advantage of the ‘restore from quarantine’ feature found on many antivirus programs, wherein the malware is relocated from an AV quarantine folder and stored on to another sensitive location.

For those unaware, quarantine is a secure storage that is used by an antivirus program to place a potentially malicious file detected by it. This feature allows the users to restore files that have been erroneously detected as malware, known as a false positive detection.

Bogner said in blog post that the exploit allows a user to remove a certain entry of malware from the quarantined folder and place it somewhere else on the targeted computer, allowing the malware to be executed. Bogner has also uploaded a video that gives more information on how the exploit works.

As explained in the video, a local attacker can manipulate the antivirus’ scanning engine to bring the malicious file out. Usually, a non-administrator user does not have access to write a file to system folders like ‘Program Files’ or ‘Windows’, but by abusing a windows feature called NTFS file junction point allows the attacker to relay the file to a privileged directory, for instance, a folder within C:\Program Files or C:\Windows.

“AVGater can be used to restore a previously quarantined file to any arbitrary file system location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs [Access Control Lists] can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system,” Bogner explained.

However, in order to execute the attack, the attacker must be physically present at the targeted PC, which is the most significant limitation of AVGater.

Prior to the disclosure of the exploit, Bogner repeated the attack in products of the firms including Kaspersky Lab, Malwarebytes, Trend Micro, Emsisoft, Ikarus and Zonealarm. While all of these providers have already released patches for their products, there are additional unnamed antivirus vendors who are still working on a fix that will be released in the coming days.

Bogner says that users can prevent AVGater by always updating their antivirus products. For enterprises users, he advises not to allow users to restore files from quarantine.

Kavita Iyer

An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human

Recent Posts

10 Best Free Skype Alternatives For Windows/Android/iOS

Since its advent in 2003, Skype has become an industry standard when it comes to video calling on Windows PC. In…

7 hours ago

Sony PlayStation Classic hacked to run games off a USB drive

Hackers crack Sony’s PlayStation Classic shortly after the release Last week, Sony released PlayStation Classic with 20 officially preinstalled games,…

12 hours ago

What to Do If Your iPhone or iPad got stuck on Apple logo?

There are situations when people have frozen iPhone and iPad on Apple logo during startup. And, if you are also…

2 days ago

Google decides to kill off Google+ earlier than planned

Another data leak forces Google to close down Google+ in April 2019 In October this year, we had reported how…

2 days ago

How to factory reset an iPhone or iPad?

Factory Resetting an iPhone or iPad is the best way to get rid of problems that you are not able…

3 days ago

Google Chrome’s Dark Mode For macOS To Arrive In Early 2019

Chrome’s Dark Mode in macOS Mojave to come by early 2019 In early September this year, it was rumored that…

3 days ago