Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

AVGater - New Antivirus design flow

 

Systems Affected


Windows Systems

Threat Level


Medium


Overview


A new Antivirus design flaw has discovered and named as AVGater for the Windows Local Privilege Escalation Vulnerability which is presented in many antiviruses that can be abused and bypassed using restore from quarantine Method.


Description


AVGater can be used to restore a previously quarantined file to any arbitrary file system location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs can be t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system. The goal is to side load this library for some legitimate Windows servers by abusing the DLL Search Order: If this succeeds, arbitrary code can be executed with the help of the DLLMain entry point.


Impact


AVGater allows malware or a local attacker to abuse the "restore from quarantine" feature to send previously detected malware to sensitive areas of the user's operating system, helping the malware gain boot persistence with elevated privileges.


Solution/ Workarounds


Some of the Antivirus vendors have already released their fix. Always install updates in a timely manner.
In the case of enterprise environments, do not allow normal users to restore files from quarantine.


References


https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus- quarantine/
https://www.bleepingcomputer.com/news/security/antivirus-engine-design-flaw-helps- malware-sink-its-teeth-into-your-system/
https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to- attacks-that-otherwise-wouldnt-be-possible/
https://community.spiceworks.com/topic/2085718-avgater-uses-av-software-to-get-past- some-protections https://gbhackers.com/windows-local-privilege/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.