Hot on HuffPost Tech:

See More Stories
Free Switched iPhone app - try it now!
AOL Tech

Matousec report says your antivirus app is way too easy to exploit

Savvy Download Squad readers are already well aware of the fact that antivirus programs don't guarantee security. There's still one exploitable vector no program can do anything about: the end user. Regardless of how good a program is at protecting a system, a careless user can still wind up getting his or her machine infected.

Regardless, it's generally regarded as a bad idea to use a computer without antivirus and malware protection. But according to a report from Matousec, there's a very good chance your software isn't all that hard to exploit and cripple.

In the report, Matousec outlines a bait-and-switch style attack which works via the kernel mode drivers used by almost all Windows antivirus programs. 34 are listed in the report, including favorites like Avast 5, AVG 9, Avira 10, Eset Smart Security, and just about every other big name you can think of.

The post states that the list could easily have included pretty well all Windows antivirus apps, but they only had time to test so many. Interestingly enough, two very popular apps -- Microsoft Security Essentials and Live OneCare -- were not on the list. The post seems to indicate that every app they tested failed, but those are certainly big omissions. I'm much more interested to know how Microsoft's products would have fared than relatively obscure apps like Online Armor, PC Tools, Threatfire, and Security Shield.

Immunet's Alfred Huger informed me that their product does not use SSDT and operates outside the kernel -- so it's not vulnerable in this way.

Matousec's test systems were running Windows XP SP3 and Vista SP1, though they claim that the technique should work on all versions of Windows (including 7) and that x64 software is no safer than x86. However, Huger also told me "This attack [..] will not work (or should not work) under non-XP systems." BSODhook -- the tools Matousec developed to automatically find vulnerabilities -- failed to run on my Windows 7 x64 system, even with administrator permissions.

Tags: antivirus, exploit, hole, matousec, report, ssdt, vulnerability, weakness

Comments

7