Yes, We told you Antivirus was a risk!

Update: On 13 Nov 2017 we noted an article that looks pretty familiar. You can read the article at the following link. As such we thought we would update our article but we have one questions for the authors of this article. What about the other vectors? The zero days that cannot be patched? The DLL issue we already explained years ago but what about the operating system hooks?

As mentioned in a previous blog post we have been warning users of Antivirus products that certain functions can be used to turn these products against their users.

We have been using various exploits to show the vulnerabilities of these products during our penetration testing and exercises. Regardless of the warnings we still get responses from CEO's and security teams that Antivirus is critical to their organizations.

We completely disagree and feel as though while it stops some threats it opens a huge backdoor in that it has to run as an Administrative user on Windows platforms to be able to access and scan files on the filesystem.

Today while reviewing open source articles we read an article by Threatpost that looked very similar to our previous post about the topic. We are happy to see that others are also starting to research how Anti-Virus can be turned against users. The difference in the Threatpost article and our testing is that our methods do not require any user intervention. We have been able to successfully create administrator equivalent user accounts, delete users, read files to which we were not authorized by ACL's and many other really fun tricks.

One of the easiest vectors to attack are the automated actions of Anti-Virus. By using that to execute other code, you effectively turned a defensive product into an offensive weapon.

We don't think this is the last of this issue. It's only a matter of time until threat actors figure this out and start using it in their malware payloads more frequently.

Previous Blog Post: Post 1 Post 2

Reference: Recent Threatpost Article

#AV #Antivirus #Update


Contact: (800)447-2150 Ext. 1        To contact Jigsaw simply send a message in our chat window!

  • Facebook - Black Circle
  • Twitter - Black Circle

© 2017-2018 Jigsaw Security Enterprise Inc.

Jigsaw Security Enterprise Inc is a SDVOSB - Service Connected Disabled Veteran Owned Small Business Jigsaw Security is an operator of WIMAX networks and is operating under license WQVC235 as a common carrier, non-common carrier and private communications operator. Jigsaw Security operates cable and satellite services. Courses may be provided by a third party authorized training partner in some cases. Some training is only available for cleared and US Citizens. Courses approved by the North Carolina Department of Public Safety Private Protective Services Board for licensing and CE credits. JPM program insurance is provided by an authorized Jigsaw Security Insurance Partner and is not underwritten by Jigsaw Security. For insurance information please contact our JPM program manager. Jigsaw Security operates a network through our NCBroadband brand.