Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Antivirus Software Doing The Complete Opposite And Spreading Malware

    Nicknamed AVGater by Austria-based security consultant Florian Bogner, he discovered an exploit within Antivirus software that takes advantage of the “restore from quarantine” function and allows a user to move a piece of malware from the quarantined folder to somewhere else on the victim’s computer, allowing the malware to be executed.

    Bogner, who works for Kapsch, says he has notified the vendors of all the antivirus programs that contained the flaw. Some of the companies have released updates that address the issue, including Emisoft, Ikarus, Kaspersky, Malwarebytes, Trend Micro, and ZoneAlarm.

    While penetration testing, Bognor infected clients’ PCs using a traditional phishing e-mail technique. The malware would then get quarantined by the AV program, and he would exploit vulnerabilities in the software that allowed unprivileged users to restore the quarantined files. Abusing a windows feature called NTFS file junction point allowed him to relay the file to a privileged directory of his choosing, such as a folder within C:\Program Files or C:\Windows. The method also abuses the Dynamic Link Library search order feature. The malware could then run with full privileges.

     
     
    The most significant limitation of AVGater is that it requires attackers to have physical access to a machine, but this could still be a big problem for shared computer environments.
     

    Bogner says the best way to prevent being affected by AVGater is to keep your antivirus programs up to date, which is always good advice. For enterprises users, he suggests removing the ability to restore files from quarantine.

    Does *your* antivirus protect you against Ransomware? 

    RanSimFalPos.pngWe’ve added three new test scenarios to our Ransomware Simulator "RanSim" making the total 13, giving you a quick look at the effectiveness of your existing endpoint protection against these additional nasty ransomware strains that are in the wild:
    • CitroniVariant - A specific scenario designed to simulate the distinct file encryption activity of Critroni/CBT ransomware.
    • Collaborator - An advanced scenario that spawns multiple processes to carry out encryption routines.
    • VirlockVariant - One of the more complex scenarios, designed to simulate a variant Virlock that uses watchdog processes to keep encryption processes restarted.
    RanSim will simulate 13 ransomware infection scenarios and show you if a workstation is vulnerable to infection. Here's how RanSim works:
    • 100% harmless simulation of a real ransomware infection
    • Does not use any of your own files
    • Tests 13 types of infection scenarios
    • Just download the install and run it
    • Results in a few minutes!
    RanSim has been downloaded thousands of times and run against dozens of AV products. The results have been an eye-opening experience for many IT pros. Download Your Complimentary Copy of RanSim.
    Download Now
    Don't like to click on redirected buttons? Cut&paste this link in your browser: https://info.knowbe4.com/ransomware-simulator-tool

     source: TechSpot

     

    Return To KnowBe4 Security Blog

    Topics: Antivirus

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews