Jump to content

Exploiting (Almost) Every Antivirus Software


Recommended Posts

EAM's not listed, but at the foot of the page they do say "We have received questions about lesser-known antivirus software not listed on this page and all were found to be vulnerable." which doesn't make it clear whether they tested EAM or not.

Link to comment
Share on other sites

12 hours ago, JeremyNicoll said:

EAM's not listed, but at the foot of the page they do say "We have received questions about lesser-known antivirus software not listed on this page and all were found to be vulnerable." which doesn't make it clear whether they tested EAM or not.

Unfortunately that doesn't say a whole lot, and I haven't been told if EAM is known to be effected.

Link to comment
Share on other sites

> Unfortunately that doesn't say a whole lot,

Indeed...

> and I haven't been told if EAM is known to be effected.

Have you asked?  I expect the OP (and anyone else reading this) would at least like to be sure that your programmers know about this particular potential problem.

Link to comment
Share on other sites

I would think that by now any AV that was affected will have done something about it as it was first posted on April 20th.

Quote

Almost every antivirus vendor mentioned on this page is now patched with the exception of a few, who will likely have patches out shortly given the media attention.

 

Link to comment
Share on other sites

Ok, that's better than nothing.    But the vulnerability is down to the symlink/directory junctions aspect (being used to redirect the filesystem from eg a required DLL to something else, presumed to be malicious as was the EICAR file in the example shown on the website).   Presumably replacing the AV product's DLL with something non-malicious would also be a risk - diminishing the power of the AV product.  

If QA's test only worked because the EICAR file was detected, it's not checking the right thing. 

Link to comment
Share on other sites

17 hours ago, JeremyNicoll said:

If QA's test only worked because the EICAR file was detected, it's not checking the right thing. 

I would believe BitDefender's scan engine detected the EICAR signature because they've already fixed this.

Link to comment
Share on other sites

55 minutes ago, JeremyNicoll said:

So what happens if nearly the same bat file is used but instead of the EICAR file an innocent .exe or .dll is aligned with the AV product's one?

Nothing. I was just told that a symlink issue in EAM was reported and fixed some time ago, so EAM's cleaning engine won't follow symlinks (meaning it won't restore to them, or quarantine/delete from them).
https://bogner.sh/2017/11/local-privilege-escalation-in-emsisoft-anti-malware-by-abusing-ntfs-directory-junctions-avgater/

Edit: In case there's any confusion about my statement, it means EAM wasn't vulnerable to this newly reported symlink issue.

Edited by GT500
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...