Level 54
Content Creator
Some antivirus tools are more resilient than others, but it appears that many of them had weaknesses in common. Rack911 Labs has revealed (via ZDNet) that 28 well-known antivirus programs, including Microsoft Defender, McAfee Endpoint Security and Malwarebytes, either had or have bugs that would let attackers delete necessary files and prompt crashes that could be used to install malware. Known as “symlink races,” they use symbolic links and directory junctions to link malicious files to legitimate ones during the time between scanning a file for viruses and when it’s removed.
The approach not only works across security suites, but across platforms. You just need different techniques on Linux PCs and Macs, Rack911 said.

Intruders would still need to download and run the necessary code before launching a symlink race, so this is more of a tool to facilitate an existing breach than start it. Researchers also noted that most of the vendors (including AVG, F-Secure, McAfee and Symantec) have fixed the bugs, some of them quietly.
This still leaves a few (currently unnamed) antivirus clients vulnerable, though. Rack911 also warned that taking advantage of the bugs was “trivial.” This could reduce the effectiveness of antivirus software and make malware that much more effective for attackers who know the bugs exist. You’ll want to update your security software, then, even if it’s just to reduce the potential damage should someone compromise your system.

Actual link to report is here



Staff member
Malware Hunter
I think this link has been already discussed in a different thread in the forum, also probably that vulnerability and the article are a bit obsolete, I recorded a few days ago a video to test against KES11.3 (adapting it/selecting a different dll inside the folder used with McAfee) and it seems that vulnerability is not working with it, the file was not deleted:

After letting it run for a while I just broke the loop...
Last edited: