November 13, 2017
Several antivirus products are affected by a design flaw that allows malware or a local attacker to abuse the "restore from quarantine" feature to send previously detected malware to sensitive areas of the user's operating system, helping the malware gain boot persistence with elevated privileges.
Florian Bogner, a security auditor at Kapsch, an Austrian cyber-security company, discovered the flaw, which he's keeping track under the codename of AVGater.
Some antivirus vendors issued updates
Bogner says he notified all antivirus makers that he tested and found vulnerable. Today, the researcher published his findings after some companies issued updates.
The list includes Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Ikarus, and Zone Alarm by Check Point.
He says other companies will release fixes in the coming days, and that he doesn't rule out that other AV engines that he did not test may also be vulnerable.
How AVGater works
To better understand how the flaw works, it's easier to lay out a successful exploitation scenario:
The entire attack is devilishly clever, allowing for both boot persistence and privilege escalation, but still relies on attackers with physical access to the machine, a serious limitation in most cases.
Nonetheless, there are scenarios where AVGater can prove useful. For example, in shared office, educational, or government environments where users share computers, on Windows-based ATMs, and others.
Bogner, who published proof-of-concept code for exploiting the Emsisoft and Malwarebytes AVs, says that users can prevent AVGater by always updating their antivirus products, and in the case of enterprise environments, by not allowing users to restore files from quarantine.