Skip to main content

Almost every major anti-malware product has some kind of security flaw

(Image credit: Shutterstock / binarydesign)

Many anti-malware products from every major antivirus vendor feature a significant security flaw, new research has claimed.

CyberArk tested anti-malware products from Kaspersky, McAfee, Symantec, Fortinet, Checkpoint, Trend Micro, Avira, Microsoft, Avast and F-Secure to discover that they can all be abused to increase privilege on users' systems.

This is quite ironic as anti-malware solutions are supposed to protect users but they may unintentionally assist malware in gaining more privileges on a system. According to CyberArk's new blog post, many vendors fall for the same types of bugs and anti-malware products seem to be more vulnerable to exploitation due to their high privileges.

The sheer number of bugs found within anti-malware products can be staggering but many of these bugs can be easily eliminated if the security companies that make them implement several changes.

Anti-malware bugs

The first cause of many of the bugs found in anti-malware products comes from the fact that many applications on Windows use the operating system's ProgramData directory to store data that is not tied to a specific user. Programs that store data tied to a specific user generally use the %LocalAppData% directory which is only accessible by the current logged in user.

CyberArk set out to answer two questions: what happens if a non-privileged process creates directories/files that would later be used by a privileged process and what happens if you create a directory/directory-tree before a privileged process?

To answer the first question, the firm looked at Avira's AV which has two processes that write to the same log file. CyberArk was able to easily redirect the output of the write operation to any desired file by using a symlink attack. While the firm used Avira's AV as an example, it pointed out that this privilege escalation method is not limited to this product or vendor alone. To answer the second question, CyberArk's research found that in 99 percent of cases, a privileged process won't change the DACL (Discretionary Access Control List) of an existing directory.

DLL hijacking is another way in which anti-malware products can be abused for privilege escalation. This technique involves a standard user abusing DLL loading of a privileged process and successfully injecting code into it.

To prevent privilege escalation in anti-malware products, CyberArk recommends that developers change DACLs before usage, correct impersonating, update the installation framework of their software and use LoadLibraryEX.