AVGater - New Antivirus design flow


Systems Affected

Windows Systems

Threat Level



A new Antivirus design flaw has discovered and named as AVGater for the Windows Local Privilege Escalation Vulnerability which is presented in many antiviruses that can be abused and bypassed using restore from quarantine Method.


AVGater can be used to restore a previously quarantined file to any arbitrary file system location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs can be t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system. The goal is to side load this library for some legitimate Windows servers by abusing the DLL Search Order: If this succeeds, arbitrary code can be executed with the help of the DLLMain entry point.


AVGater allows malware or a local attacker to abuse the "restore from quarantine" feature to send previously detected malware to sensitive areas of the user's operating system, helping the malware gain boot persistence with elevated privileges.

Solution/ Workarounds

  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.

References quarantine/ malware-sink-its-teeth-into-your-system/ attacks-that-otherwise-wouldnt-be-possible/ some-protections


The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.