A vulnerability has been discovered that allows hackers to break through antivirus defenses. Here's how it works and which antivirus apps are in danger
Microsoft Defender, McAfee Endpoint Security, Malwarebytes and many other popular commercial and free antivirus apps, totaling 28 apps, have long been or are still vulnerable to hacker attack. And this is the case for both Windows, Linux and macOS versions.
The cybersecurity company Rack911 Labs discovered that all these software apps share a similar vulnerability, which allows a hacker to launch an attack right after crashing the system and making the user download malware. The attack technique is called "symlink races" and is based on links to malicious files. Luckily, possible attackers would still have to download and execute the necessary code before using this technique, so this is more of a tool to fully exploit an already partially successful attack than to launch one from scratch. This does not detract, however, from the fact that an antivirus should protect you from similar attacks.
Hacker attack via antivirus
Most antivirus software works in a similar way: when an unknown file is saved to your hard drive, the security suite usually runs a real-time scan to check for viruses. If the antivirus believes that the unknown file is dangerous, then it automatically quarantines it and moves it to a safe location while waiting for further instructions: the user can choose to delete or open the file. Quasi tutti gli antivirus godono dei massimi privilegi da parte del sistema operativo e, di conseguenza, se è l’antivirus ad eseguire il file pericoloso non c’è niente che possa fermare l’infezione. La tecnica dei “symlink races" consiste proprio nello sfruttare tutto ciò: la piccola finestra temporale tra la scansione del file iniziale che rileva il file dannoso e l’operazione di pulizia che ha luogo immediatamente dopo.
Quali sono gli antivirus pericolosi
I software antivirus potenzialmente attaccabili con questo metodo sono numerosi, secondo Rack911 Labs. Su Windows 10 soffrono del bug:
- Avast Free Anti-Virus,
- Avira Free Anti-Virus,
- BitDefender GravityZone,
- Comodo Endpoint Security,
- F-Secure Computer Protection,
- FireEye Endpoint Security,
- Intercept X (Sophos),
- Kaspersky Endpoint Security,
- Malwarebytes for Windows,
- McAfee Endpoint Security,
- Panda Dome e
- Webroot Secure Anywhere.
Sul Mac gli antivirus problematici sono:
- AVG,
- BitDefender Total Security,
- Eset Cyber Security,
- Kaspersky Internet Security,
- McAfee Total Protection,
- Microsoft Defender (BETA),
- Norton Security,
- Sophos Home,
- Webroot Secure Anywhere.
Su Linux sono a rischio:
- BitDefender GravityZone,
- Comodo Endpoint Security,
- Eset File Server Security,
- F-Secure Linux Security,
- Kaspersy Endpoint Security,
- McAfee Endpoint Security,
- Sophos Anti-Virus for Linux.