Level 24
Security researchers from Rack911 Labs describe a technique that can be used to leverage and disable almost any antivirus software on Windows or macOS. Although some AV vendors has improved their products, it’s not a good news for fans of antivirus software.

Antivirus software is actually designed to protect against malicious threats. But what if this protection could be secretly disabled before the AV software could even neutralize a threat? What if this protection could be manipulated to perform certain file operations that would allow the operating system to be compromised or simply rendered unusable by an attacker? A few hours ago I stumbled upon the tweet below.

F. Javier Santiago
Exploiting (Almost) Every Antivirus Software – RACK911 Labs Exploiting (Almost) Every Antivirus Software – RACK911 Labs

7:14 PM - Apr 20, 2020
Twitter Ads info and privacy
See F. Javier Santiago's other Tweets
In this article, security researchers from RACK911 Labs describe techniques that can be used to bypass and disable almost any antivirus software on Windows or macOS. When an unknown file is saved to disk, the antivirus software usually performs a “real-time scan” either immediately or within minutes. If the unknown file poses a suspected threat, it is automatically quarantined and moved to a safe location or simply deleted. The virus scanner runs with the highest privileges to perform the scan. This opens up the possibility of attacking a variety of security holes and exploiting various race conditions.

What most antivirus programs fail to take into account is the small window of time between the first file scan, which detects the malicious file, and the cleanup operation, which takes place immediately afterwards. A malicious local user or malware author is often able to run a race condition via a directory function (Windows) or symlink (Linux & MacOS). This can exploit the privileged file operations to disable the antivirus software or to interfere with the operating system to render it unusable, etc.

In tests on Windows, MacOS and Linux, security researchers were able to disable and delete important files used by the antivirus software without any problems. They were even able to delete important operating system files, although in Windows you can only delete files that are not in use. But some antivirus software can remove such files the next time the system is restarted.

In this article, the security researchers reveal a proof of concept that shows this approach. A video demonstrates the attack. On Windows, the security researchers have tested vom 2018 till now the following products:

Avast Free Anti-Virus
Avira Free Anti-Virus
BitDefender GravityZone
Comodo Endpoint Security
F-Secure Computer Protection
FireEye Endpoint Security
Intercept X (Sophos)
Kaspersky Endpoint Security
Malwarebytes for Windows
McAfee Endpoint Security
Panda Dome
Webroot Secure Anywhere

and were able to deactivate them successfully (in the version used for the test). There is almost everything that run on the Windows PCs of ordinary users.

Addendum: Because of an already started discussion in my German blog. Please note that this is not a test ‘this scanner is good, this scanner is bad’. The security researchers’ article is a snapshot. As mentioned above, the security reserchers has been running trials since 2018 and the vendors have each received an individual vulnerability report. Some AV vendors have made improvements. After a 6-month grace period, the security researchers have decided to disclose their findings now. However, the case shows me that you can’t be not careful enough (and it would not be the first fix to reveal new vulnerabilities). Because the security researchers has outlined their PoC, you can try to run the test with your current AV products.
Sadly they don't test windows defender with and without his sandbox protection.