Known as AVGater, the exploit was discovered by security consultant Florian Bogner. Bogner detailed his findings in a blog post late last week, explaining the flaw revolves around “abusing” the quarantine restore feature in antivirus software. This is a fundamental capability in most security packages.
When antivirus software finds a new threat on your device, it usually quarantines it to prevent it operating. The malware isn’t deleted entirely though, in case it was detected as a false positive or the file’s required for investigative work. If you need to, you can restore the malware from quarantine and put it back onto your machine.
AVGater exploits this system by letting the malware restore itself to anywhere on your computer. It abuses certain permissions assigned to antivirus software to escape the quarantine and regain its functionality. Because most antivirus restore processes are executed as a privileged user in Windows, regular system access control mechanisms are ignored. AVGater uses this opportunity to silently drop malware into sensitive folders on your machine.
READ NEXT: Google says phishing attacks are the biggest risk to web users
“AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location,” said Bogner. “This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs can be circumvented (as they don’t really count for the SYSTEM user).”
The attack has one major weakness that limits its feasibility. To be successful, the logged in user must be allowed to restore files from quarantine. Therefore, the risks of AVGater can be mitigated in enterprise environments by blocking regular users from recovering quarantined files.
After discovering AVGater, Bogner reproduced the attack in products by firms including Kaspersky Lab, Malwarebytes, Trend Micro, Emsisoft, Ikarus and Zone Lab by Check Point Security. All of these providers have already released patches for their products. Additional unnamed antivirus vendors are still working on a fix which will be released in the coming days. Users should install the updates as soon as possible to protect themselves from attack.
