Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Antivirus Software Could Make Your Company More Vulnerable (csoonline.com) 74

itwbennett writes: Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications. And evidence suggests that attacks against antivirus products are both possible and likely. Some researchers believe that such attacks have already occurred, even though antivirus vendors might not be aware of them because of the very small number of victims. Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status 'sold.'
This discussion has been archived. No new comments can be posted.

Antivirus Software Could Make Your Company More Vulnerable

Comments Filter:
  • on domestic computers. AVG in particular just seems to let malware through - advertising scams, mostly, although once it was ransomware.

    It's particularly annoying that I can't deactivate them to run other scanners to remove the crap they've allowed in. Anti-malware should NOT install and run under the SYSTEM account.

    • by Anonymous Coward

      I don;t think you understand. What you've seen is a failure to detect a particular virus. But, the story is talking about vulnerabilities in the antivirus software itself. So, AVG gets exploited and is then used to grant administrative access to a Windows system, something that would not have been possible if it wasn't for the weakness in the AVG agent and the fact that it runs with system level privileges.

      My suspicion is that, if you were affect by such a virus, you would never know it.

  • If I've read correctly (and tell me if I'm wrong, no doubt) but most of these latest vulns in the AV apps themselves were related to faulty or no-implementation of ASLR memory randomization and as such allow overflow and direct injection attacks into memory. All the major companies report it as a closed bug.

    Is there some other APT type attack going on that isn't mentioned in the original disclosures?

  • cost and benifit (Score:5, Insightful)

    by fermion ( 181285 ) on Saturday January 09, 2016 @04:33PM (#51269785) Homepage Journal
    I don't know if it is possible to have a MS Windows running on the internet without a anti virus software. So the question is not which AV software has vulnerabilities, as all software has this issue, but which provides significantly more protection than risk. Or if there is better way to protect MS Windows machines than AV software.
    • by gilgongo ( 57446 ) on Saturday January 09, 2016 @04:39PM (#51269803) Homepage Journal

      If it's any help (and if you're referring to desktop Windows computers behind standard domestic NAT-ed router/firewalls), then with the exception of WSE since it came out (WinVista?), I've *never* run anti-virus on any Windows installation in our 4-person home in over 20 years.

      About once a year I boot each machine from something like Trinity Rescue Disk and run a sweep using two or three different anti-virus packages. This might come up with perhaps one or two low-risk infections (usually Java), but that's it.

      I assume therefore that if the people using the machines are not in the habit of visiting certain types of website, and aren't inclines to open attachments they're not expecting, then all will be well.

      • by fred911 ( 83970 )

        Absolutely. I too have never ran any virus package on any of my machines starting from the days of Win 3 and winsock. I have never had an infected machine. I scan every six months and receive the same results.

        For button pushing users I support, the only packages I would trust were the packages distributed by Kaspersky or Panda. Everything else I've ever seen is excellent in the over use of your funds and resources.

        • I have had Antivirus packages installed for years but usually have it turned off and only turn it on to check a download that I'm particularly worried about. Running Noscript and Adblock seems to be enough to stop most viruses and malware so that the only ones that make it to my system are those that I download. Those are found when I check the download with an A/V. I think this would be true for most people so long as they are smart enough to not click on random links or trust all the spam they get in ema
      • As someone who used to support these users with infections I can tell you almost everyone of them had Norton, an expired av package, or no AV at all whatsoever.

        So I highly disagree. Though most had XP and 7 is much more secure by default. av software and adbkocking make a HUGE difference.

        Though today I now think ad blocking add ons are the best security on the planet! Ads are how malware gets on and being a sophisticated Slashdot user you do what most don't.

        FYI nod32 found a Trojan on Slashdot a few years a

      • by bmo ( 77928 )

        I assume therefore that if the people using the machines are not in the habit of visiting certain types of website,

        Which type of website would that be?

        Years ago, when Investor Village was still young, they had a problem with an advertiser serving up malware.

        Just the other day, Forbes was caught serving up malware in their ads after telling people to whitelist them.

        Various other web pages not affiliated with what you might call the "seedy underbelly" of the Internet have been caught serving up malware in the

    • Re:cost and benifit (Score:5, Interesting)

      by Frosty Piss ( 770223 ) * on Saturday January 09, 2016 @04:43PM (#51269817)

      I ran XP and later Win7 with nothing more than Microsoft Security Essentials, and never had an infection. Ran CCleaner and Malwarebytes regularly and never found a thing.

      • "and never had an infection"

        That you know of.

      • I was, at one time, tasked to incorporate CCleaner as a 'plugin' to an app I was working on.

        AFAIK, CCleaner does absolutely no virus checking. The version I was working on would 'clean up' your registry, temp directory, and a couple other spots, but not check for viruses per se.

        And having looked through what it purports to do in the way of registry element deletion, I would be exceptionally cautious about letting it run free. Some of the bits it wanted to clean up as unused were not unused/useless on the

    • Re: (Score:2, Interesting)

      by phantomfive ( 622387 )
      The problem with AV software is, it will only catch threats that are already known (and usually for vulnerabilities that are already patched).

      Think about it: if you were writing malware, wouldn't you test to make sure it could get past the major antivirus packages? That's just due diligence. If your QA didn't do that, you would fire them.

      And if that weren't bad enough, some of the Antiviruses are worse user experience than actually getting a virus......
    • by mark-t ( 151149 )
      Sure it's possible.... in practice, the vectors for infection when one is behind a strict enough firewall (external to windows, not the built-in windows firewall) are restricted to either social engineering or else less educated users downloading and running software from locations that a more educated user would probably realize was dubious anyways. The only antivirus you need at that point is a user that knows how to not get infected while using the 'net, and perhaps a periodic manual scan or two every
    • by DarkOx ( 621550 ) on Saturday January 09, 2016 @05:29PM (#51269979) Journal

      Yes its possible if you don't do stupid things and don't foul up Windows security. the vast majority of liabilities/vulnerabilities on modern Windows desktops arise directly from PBCAK (Person between chair and keyboard). I personally use a mixture of Slackware and OSX at home but I do security work and I can tell you if you are following the rules below on Windows 8 and later its very unlikely anyone is going to pop your box.

      [Stuff that comes out of box if you don't f**k it up]
      0) Have a strong password.
      1)Leave UAC enabled.
      2)Leave the windows firewall on and with recommended settings, even if you are behind NAT and or some other hardware firewall.
      3)Install updates promptly.
      4)Don't run things from sources you don't trust.
      4a) If you really must run stuff from untrusted sources have a separate user account to download and execute that stuff with that you do not use to handle any information you don't want public, and for goodness sake don't let it elevate.
      5) Do not install Flash
      6) Do not install the Java browser plugins.

      [Mostly painless things you can do to really harden windows boxen]
      7) Install EMET
      8) Install KB2871997 and disable wdigest

      [annoying but still a good practice]
      9) logoff (not just lock) your desktop when not in use. Optionally suspend or hibernate the system, instead.

      • PEBCAK (Problem exists between chair and keyboard).

        FTFY.

      • 3)Install updates promptly.

        4)Don't run things from sources you don't trust.

        Those two are mutually exclusive for Windows 7 users. I no longer trust Microsoft updates, thanks to the spyware that is Windows 10.

      • False.

        Most Trojans get on by ads from 3rd party networks visiting a website.

    • by jetkust ( 596906 )
      I can confirm that it is possible. Are you an AV salesman?
    • Passive AV software is about eliminating malware AFTER it has taken root on a system. Active AV injects itself into critical checkpoints. Microsoft, to their credit, has taken proactive steps to close the exploits that malware have used enter a system. Steps like including Flash player updates with Windows updates. Is it perfect? Of course not. But it's gone a long way to the point of making AV software the "low hanging fruit" of attack surfaces.
      I'll also echo what many have said - WSE and SPI Firewalls (
    • by KGIII ( 973947 )

      I did so, for quite some time actually, just to prove that it could be done. I still functioned - pretty much like normal, and had no known malware compromises. I had no resident AV but would scan once in while (with multiple non-resident apps like AVG and MBAM) and was fine. Don't download things from bad places, use a firewall, get thee behind a NAT, do not allow scripting to run as a general rule, and use least privilege practices.

      This is possible to do with Windows, albeit a bit tedious to set up and pr

  • Learned helplessness (Score:4, Interesting)

    by Anonymous Coward on Saturday January 09, 2016 @04:41PM (#51269813)

    The main vector for malware is people doing what computers tell them to do. Users have become so accustomed to oversight and "someone else" taking care of their computers that they feel they do need to "update their media player program", "install a codec" and "download this antivirus to remove the trojan horse" when their computer tells them to. That's what the pros do, right? Update and install something and then everything works. And Windows has a "security center" which lambasts the users with red exclamation marks until they download an antivirus, and now that website has found something and offers a free antivirus software. Phew, close one.

    Microsoft, Google, Apple, etc. need to stop their programs from telling people how to keep their computers safe. If you know how, then just do it. If you don't know, then what's the point in warning the users: They certainly won't know what to do. Either way, shut up about it. When the computer tells them it has a virus, then users must know that the message is not from someone who looks over them, but probably from someone who wants them to do something that they shouldn't do. "Install this" should instinctively sound exactly as dangerous as installing software off the internet is.

    • by Bert64 ( 520050 )

      The problem here is that traditional desktop systems are designed for people who understand what they're doing...

      Someone with no experience cannot be trusted to download software from the web and install it, if you search for any piece of software on virtually any search engine you will see many many sources to get the software from, many of which will be unofficial if not downright malicious.

      The same problem does not happen to typical users of ios, android or chromeos because these systems don't expect use

  • Not to mention the CPU and memory performance hit you take. Every antivirus tool probably has a missive database of every known virus, even from 20 years ago it's checking every file against (with any hope a file hash binary search). Norton's virus definition grew from like 25MB in 2008 to 220MB in 2013.

    I routinely pause my antivirus when copying tons of files around or when installing known to be good stuff. As soon as I pause the scanner everything speeds up. even if you have a quad core, every file has t

    • Every antivirus tool probably has a missive database of every known virus, even from 20 years ago it's checking every file against (with any hope a file hash binary search).

      Could you please replete that?

    • by DarkOx ( 621550 )

      Every antivirus tool probably has a missive database of every known virus, even from 20 years ago it's checking every file against (with any hope a file hash binary search). Norton's virus definition grew from like 25MB in 2008 to 220MB in 2013

      Don't count on that. I have personally seen some very old EOL systems NT4 and W2K boxes get infected with very old malicious software.

      People keep some of these system in service, the AV packages often still support them but... here the rub to keep those definition files reasonably sized Symantec and friends actually drop old definitions for things that depend on vulns not present in more recent platforms. So if don't count on your old Win2K box not suddenly getting CodeRed all over again, even with NAV ru

  • by Fencepost ( 107992 ) on Saturday January 09, 2016 @06:18PM (#51270177) Journal
    Introducing any new software onto a system has the potential to add increased attack vectors. In the case of antivirus software exploits may be easier to get to the right place because the software by definition is looking at all the traffic coming in, but you could just as easily look for vulnerabilities in network card driver stacks for widely-used network and wireless cards.

    At least with antivirus they're likely already getting updates regularly; the same can't be said for hardware drivers on a huge percentage of systems.
    • At least with antivirus they're likely already getting updates regularly

      Why do you think that? Won't most people try to run with their original, old version of the antivirus and hope that the package definitions keep getting updated?

      • Many (most?) antivirus packages check for program updates along with definition updates and will warn if there's an update available. Hardware driver updates on the other hand are the kind of thing that almost never get installed unless you know you have a problem and go looking for a solution.

        And as far as going without antivirus, it's a question of which is more of a concern - the things that may target the antivirus, or the things that may target the other parts of the system (browsers, maybe Flash still
  • It's quite certain that AV software flaws have been attacked by bad guys, but that hardly means that your company is *more* vulnerable with the software than without it. Any sufficiently complex software has vulnerabilities.

  • If its vital, use a typewriter, secure limited amounts of paper files and hold face to face meetings in a secure room with only trusted staff. Works well during policy creation. Use the internet to push out a final policy statement, not create policy over years, weeks via junk encryption.
    Learn about good quality encryption so that years of plain text data are not just sitting on fast internet facing servers.
    As for AV brands: The global reach and trust means they are getting reports back of bespoke 5 e
  • My company operates in a regulated industry (finance). We're forced to have AV software installed (including on Macs) in order to comply with the regs.

Keep up the good work! But please don't ask me to help.

Working...