Overclock.net › Forums › Industry News › Software News › [AT] How Antivirus Can Open You to Attacks That Otherwise Wouldn’t Be Possible
New Posts  All Forums:Forum Nav:

[AT] How Antivirus Can Open You to Attacks That Otherwise Wouldn’t Be Possible

post #1 of 22
Thread Starter 


https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible/
Quote:
Antivirus programs, in many cases, make us safer on the Internet. Other times, they open us to attacks that otherwise wouldn't be possible. On Friday, a researcher documented an example of the latter—a vulnerability he found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control.

AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off-limits to the attacker.

So if you can't trust your own AV program anymore, what can you trust?

What one program has a near bullet proof track record of protection that no AV program can touch? thinking.gif

The solution is right here.
post #2 of 22
But what if NoScript makes us vulnerabler, frickfrock? What if it lets the aliens into my computer?
Triumvirate
(20 items)
 
Osmium
(8 items)
 
For Sale: [FS] Z97 system: Xeon and RAM
$160 (USD) or best offer
CPUMotherboardGraphicsGraphics
i7-5775C ASUS Sabertooth Z97 Mark 2 Sapphire RX 480 (reference) MSI Low-Profile 750Ti 
RAMHard DriveHard DriveHard Drive
Corsair Dominator Platinum - 2x8GB Crucial M500 - 960GB Samsung 840 - 250GB WD Scorpio Blue - 1TB 
Hard DriveCoolingCoolingOS
ADATA SP900 - 64GB Scythe BIG Shuriken 2 Rev. B PNY Quadro 600 blower Windows 10 
MonitorMonitorMonitorKeyboard
ASUS VE247H - 1080p Gateway FPD1960 - 1280x1024 Samsung S20D300 - 900p, portrait Rosewill RK9000I - Cherry MX Blue 
PowerCaseMouseOther
Rosewill HIVE 650W Riotoro CR1080 SteelSeries Rival 100 CyberPower 1500PFCLCD 
CPUMotherboardRAMHard Drive
AMD A10-7870K ASRock FM2A88X-ITX+ G.Skill Ripjaws X - 2x4GB @ 2400MT/s Samsung 840 120GB 
CoolingOSPowerCase
Evercool EC-HPS-810CP Windows 7 Pro 64-bit PicoPSU-120-WI-25 Mini-Box M350 
  hide details  
Reply
Triumvirate
(20 items)
 
Osmium
(8 items)
 
For Sale: [FS] Z97 system: Xeon and RAM
$160 (USD) or best offer
CPUMotherboardGraphicsGraphics
i7-5775C ASUS Sabertooth Z97 Mark 2 Sapphire RX 480 (reference) MSI Low-Profile 750Ti 
RAMHard DriveHard DriveHard Drive
Corsair Dominator Platinum - 2x8GB Crucial M500 - 960GB Samsung 840 - 250GB WD Scorpio Blue - 1TB 
Hard DriveCoolingCoolingOS
ADATA SP900 - 64GB Scythe BIG Shuriken 2 Rev. B PNY Quadro 600 blower Windows 10 
MonitorMonitorMonitorKeyboard
ASUS VE247H - 1080p Gateway FPD1960 - 1280x1024 Samsung S20D300 - 900p, portrait Rosewill RK9000I - Cherry MX Blue 
PowerCaseMouseOther
Rosewill HIVE 650W Riotoro CR1080 SteelSeries Rival 100 CyberPower 1500PFCLCD 
CPUMotherboardRAMHard Drive
AMD A10-7870K ASRock FM2A88X-ITX+ G.Skill Ripjaws X - 2x4GB @ 2400MT/s Samsung 840 120GB 
CoolingOSPowerCase
Evercool EC-HPS-810CP Windows 7 Pro 64-bit PicoPSU-120-WI-25 Mini-Box M350 
  hide details  
Reply
post #3 of 22
Thread Starter 
Quote:
Originally Posted by CynicalUnicorn View Post

But what if NoScript makes us vulnerabler, frickfrock? What if it lets the aliens into my computer?

Noscript's powers are too great to be compromised.

You can't kill a God.
post #4 of 22
This seems a bit the kind of unlikely daisy chain of events that needs to happen before any harm is done:

1. "allows attackers who already have a toehold on a targeted computer to gain complete system control." - the attacker needs to already have somehow gone past the malware scanner anyhow;

2. The user must have somehow gotten other malware on the computer that the scanner does identify;

3. The user must choose to put said identified malware in quarantine instead of simply deleting it.

In any case, it's good to know that six AV makers have already patched the hole and the others are on their way to do so.
 
Metro 2033 review
Metro 2033
CPUMotherboardGraphicsRAM
Core i7-3820 Asus Sabertooth X79 MSI GTX 1060 6 GB Gaming X 16 GB Corsair DDR3 1866 Mhz Dominator 
Hard DriveOptical DriveCoolingOS
Samsung SSD 830 128GB + WD Caviar Black 2TB Sony Optiarc DVD-RW Corsair A70 + Noiseblocker M12-P Windows 7 Home Premium 64-bit 
MonitorKeyboardPowerCase
BenQ RL2455HM Cooler Master Octane Corsair AX750 Professional Modular 80 Plus Gold Cooler Master HAF 912 Plus 
Mouse
Cooler Master Octane 
  hide details  
Reply
 
Metro 2033 review
Metro 2033
CPUMotherboardGraphicsRAM
Core i7-3820 Asus Sabertooth X79 MSI GTX 1060 6 GB Gaming X 16 GB Corsair DDR3 1866 Mhz Dominator 
Hard DriveOptical DriveCoolingOS
Samsung SSD 830 128GB + WD Caviar Black 2TB Sony Optiarc DVD-RW Corsair A70 + Noiseblocker M12-P Windows 7 Home Premium 64-bit 
MonitorKeyboardPowerCase
BenQ RL2455HM Cooler Master Octane Corsair AX750 Professional Modular 80 Plus Gold Cooler Master HAF 912 Plus 
Mouse
Cooler Master Octane 
  hide details  
Reply
post #5 of 22
Thread Starter 
Quote:
Originally Posted by tpi2007 View Post

This seems a bit the kind of unlikely daisy chain of events that needs to happen before any harm is done:

1.
3. The user must choose to put said identified malware in quarantine instead of simply deleting it.

A lot of AV programs I've used Quarantine by default unless you specify to delete afterwards. It's surprisingly common, I know MSE does.

I don't really understand it myself, I think it has to do with making sure it doesn't delete a critical system file.
post #6 of 22
Quote:
Originally Posted by frickfrock999 View Post

Quote:
Originally Posted by tpi2007 View Post

This seems a bit the kind of unlikely daisy chain of events that needs to happen before any harm is done:

1.
3. The user must choose to put said identified malware in quarantine instead of simply deleting it.

A lot of AV programs I've used Quarantine by default unless you specify to delete afterwards. It's surprisingly common, I know MSE does.

I don't really understand it myself, I think it has to do with making sure it doesn't delete a critical system file.

I've got mine set to ask me (I think it was on by default as it's the first option on the list).
 
Metro 2033 review
Metro 2033
CPUMotherboardGraphicsRAM
Core i7-3820 Asus Sabertooth X79 MSI GTX 1060 6 GB Gaming X 16 GB Corsair DDR3 1866 Mhz Dominator 
Hard DriveOptical DriveCoolingOS
Samsung SSD 830 128GB + WD Caviar Black 2TB Sony Optiarc DVD-RW Corsair A70 + Noiseblocker M12-P Windows 7 Home Premium 64-bit 
MonitorKeyboardPowerCase
BenQ RL2455HM Cooler Master Octane Corsair AX750 Professional Modular 80 Plus Gold Cooler Master HAF 912 Plus 
Mouse
Cooler Master Octane 
  hide details  
Reply
 
Metro 2033 review
Metro 2033
CPUMotherboardGraphicsRAM
Core i7-3820 Asus Sabertooth X79 MSI GTX 1060 6 GB Gaming X 16 GB Corsair DDR3 1866 Mhz Dominator 
Hard DriveOptical DriveCoolingOS
Samsung SSD 830 128GB + WD Caviar Black 2TB Sony Optiarc DVD-RW Corsair A70 + Noiseblocker M12-P Windows 7 Home Premium 64-bit 
MonitorKeyboardPowerCase
BenQ RL2455HM Cooler Master Octane Corsair AX750 Professional Modular 80 Plus Gold Cooler Master HAF 912 Plus 
Mouse
Cooler Master Octane 
  hide details  
Reply
post #7 of 22
How do you guys browse the web with noscript? I've tried using it and it literally can't even open a single web page. So i had to turn it off. Sure you can enable it for a website you "trust" but then why have it at all at that point?

Malwarebytes seems to have done me well over the years. Only wish i could have gotten more lifetime subscriptions back when i still had the chance.
post #8 of 22
Quote:
Originally Posted by IMI4tth3w View Post

How do you guys browse the web with noscript? I've tried using it and it literally can't even open a single web page. So i had to turn it off. Sure you can enable it for a website you "trust" but then why have it at all at that point?
Because you can trust only the domains needed to display the content you want. It's not the domains on which the site you usually want to visit is that will infect you.

To me, the question is, conversely, how do YOU navigate the web withOUT noscript or scriptsafe (for Chrome)?

If you set either up well enough and know how to use them, it'll keep you much safer than MalwareBytes. Prevention > treatment.
    
CPUMotherboardGraphicsRAM
Intel 6700k 4.5 GHz 1.3v Asus Z170i MSI 980Ti 1490/7760 MHz G.skill DDR4 8 GB x2 3733 MHz 15-15-15-35-1 
Hard DriveHard DriveCoolingOS
Samsung 850 EVO 1 TB Crucial M4 256 GB NH-C14S Windows 10 Student 
MonitorKeyboardPowerCase
TBD Cooler Master Quick Fire TK Corsair SF600 Fractal Core 500 
MouseMouse PadAudioAudio
Zowie EC2-A Zowie G TF-X Fiio E17 v1 Sennheiser HD 598 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Intel 6700k 4.5 GHz 1.3v Asus Z170i MSI 980Ti 1490/7760 MHz G.skill DDR4 8 GB x2 3733 MHz 15-15-15-35-1 
Hard DriveHard DriveCoolingOS
Samsung 850 EVO 1 TB Crucial M4 256 GB NH-C14S Windows 10 Student 
MonitorKeyboardPowerCase
TBD Cooler Master Quick Fire TK Corsair SF600 Fractal Core 500 
MouseMouse PadAudioAudio
Zowie EC2-A Zowie G TF-X Fiio E17 v1 Sennheiser HD 598 
  hide details  
Reply
post #9 of 22
Quote:
Originally Posted by frickfrock999 View Post

Noscript's powers are too great to be compromised.

You can't kill a God.

I am pretty sure man kind has proven this to be wrong. LOL
Frankenputer
(16 items)
 
  
CPUMotherboardGraphicsRAM
AMD RYZEN 7 1700 ASROCK X370 TAICHI ASUS ROG GTX 108 Ti strix G Skill Ripjaws V series 3200 
Hard DriveOptical DriveCoolingCooling
samsung m.2 1TB Sony DVD-+RW DL + Sony bdu Custom Loop EK supremacy AM4 block 
OSMonitorPowerCase
Windows 10 home BenQ bl series LED 4k EVGA 1000 watt corsair 400r 
  hide details  
Reply
Frankenputer
(16 items)
 
  
CPUMotherboardGraphicsRAM
AMD RYZEN 7 1700 ASROCK X370 TAICHI ASUS ROG GTX 108 Ti strix G Skill Ripjaws V series 3200 
Hard DriveOptical DriveCoolingCooling
samsung m.2 1TB Sony DVD-+RW DL + Sony bdu Custom Loop EK supremacy AM4 block 
OSMonitorPowerCase
Windows 10 home BenQ bl series LED 4k EVGA 1000 watt corsair 400r 
  hide details  
Reply
post #10 of 22
Very childish article since "running a program" opens you to attacks that you otherwise would not be exposed to.

How many times was sol.exe infected in the early to mid 90s?
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
Overclock.net › Forums › Industry News › Software News › [AT] How Antivirus Can Open You to Attacks That Otherwise Wouldn’t Be Possible