Security researchers have described a simple technique that allows to disable almost any antivirus solution on Windows, macOS and Linux operating systems. The new method involves using directory junctions (Windows) and symlinks (macOS & Linux) to turn almost every antivirus software into self-destructive tools.
When an unknown file is saved to disk, RACK911 Labs researchers explain, the antivirus installed by the user performs a “real-time scan”, which could take seconds or minutes. If a file is deemed suspicious, it then automatically quarantined or deleted. The problem is that almost all antivirus tools run with high privileges on the system, and threat actors can use this to their advantage.
“What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc.” the researchers explain.
“Make no mistake about it, exploiting these flaws were pretty trivial and seasoned malware authors will have no problem weaponizing the tactics outlined in this blog post. The hardest part will be figuring out when to perform the directory junction or symlink as timing is everything; One second too early or one second too late and the exploit will not work.”
During testing across Windows, macOS and Linux the researchers were able to disable and delete important files used by the antivirus software without any problems. They were even able to delete key operating system files that would cause significant corruption requiring a full reinstall of the OSs, though in Windows they were able only delete files that were not currently in use.
Below is the list of tested antivirus products from various vendors found to be vulnerable:
Linux
-
BitDefender GravityZone
-
Comodo Endpoint Security
-
Eset File Server Security
-
F-Secure Linux Security
-
Kaspersy Endpoint Security
-
McAfee Endpoint Security
-
Sophos Anti-Virus for Linux
Windows
-
Avast Free Anti-Virus
-
Avira Free Anti-Virus
-
BitDefender GravityZone
-
Comodo Endpoint Security
-
F-Secure Computer Protection
-
FireEye Endpoint Security
-
Intercept X (Sophos)
-
Kaspersky Endpoint Security
-
Malwarebytes for Windows
-
McAfee Endpoint Security
-
Panda Dome
-
Webroot Secure Anywhere
macOS
-
AVG
-
BitDefender Total Security
-
Eset Cyber Security
-
Kaspersky Internet Security
-
McAfee Total Protection
-
Microsoft Defender (BETA)
-
Norton Security
-
Sophos Home
-
Webroot Secure Anywhere
RACK911 Labs informed affected antivirus developers about the issue in 2018, and many of the vendors have already released the necessary fixes.