Batman

Exploiting (Almost) Every Antivirus Software

Recommended Posts

Our software isn't listed as being vulnerable, and I am not aware of any reports of our software being vulnerable.

Share this post


Link to post
Share on other sites

EAM's not listed, but at the foot of the page they do say "We have received questions about lesser-known antivirus software not listed on this page and all were found to be vulnerable." which doesn't make it clear whether they tested EAM or not.

Share this post


Link to post
Share on other sites
12 hours ago, JeremyNicoll said:

EAM's not listed, but at the foot of the page they do say "We have received questions about lesser-known antivirus software not listed on this page and all were found to be vulnerable." which doesn't make it clear whether they tested EAM or not.

Unfortunately that doesn't say a whole lot, and I haven't been told if EAM is known to be effected.

Share this post


Link to post
Share on other sites

> Unfortunately that doesn't say a whole lot,

Indeed...

> and I haven't been told if EAM is known to be effected.

Have you asked?  I expect the OP (and anyone else reading this) would at least like to be sure that your programmers know about this particular potential problem.

Share this post


Link to post
Share on other sites

I would think that by now any AV that was affected will have done something about it as it was first posted on April 20th.

Quote

Almost every antivirus vendor mentioned on this page is now patched with the exception of a few, who will likely have patches out shortly given the media attention.

 

Share this post


Link to post
Share on other sites
4 hours ago, JeremyNicoll said:

Have you asked?

I did ask QA, and I was just informed that they tested it and EAM detected the EICAR string and moved the script to quarantine.

Edit:

image.png
Download Image

Share this post


Link to post
Share on other sites

Ok, that's better than nothing.    But the vulnerability is down to the symlink/directory junctions aspect (being used to redirect the filesystem from eg a required DLL to something else, presumed to be malicious as was the EICAR file in the example shown on the website).   Presumably replacing the AV product's DLL with something non-malicious would also be a risk - diminishing the power of the AV product.  

If QA's test only worked because the EICAR file was detected, it's not checking the right thing. 

Share this post


Link to post
Share on other sites
17 hours ago, JeremyNicoll said:

If QA's test only worked because the EICAR file was detected, it's not checking the right thing. 

I would believe BitDefender's scan engine detected the EICAR signature because they've already fixed this.

Share this post


Link to post
Share on other sites

So what happens if nearly the same bat file is used but instead of the EICAR file an innocent .exe or .dll is aligned with the AV product's one?

Share this post


Link to post
Share on other sites
55 minutes ago, JeremyNicoll said:

So what happens if nearly the same bat file is used but instead of the EICAR file an innocent .exe or .dll is aligned with the AV product's one?

Nothing. I was just told that a symlink issue in EAM was reported and fixed some time ago, so EAM's cleaning engine won't follow symlinks (meaning it won't restore to them, or quarantine/delete from them).
https://bogner.sh/2017/11/local-privilege-escalation-in-emsisoft-anti-malware-by-abusing-ntfs-directory-junctions-avgater/

Edit: In case there's any confusion about my statement, it means EAM wasn't vulnerable to this newly reported symlink issue.

Edited by GT500

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.