Overclock.net banner

[AT] How Antivirus Can Open You to Attacks That Otherwise Wouldn’t Be Possible

1.7K views 21 replies 15 participants last post by  Diablosbud  
#1 ·


https://arstechnica.com/information-technology/2017/11/how-av-can-open-you-to-attacks-that-otherwise-wouldnt-be-possible/
Quote:
Antivirus programs, in many cases, make us safer on the Internet. Other times, they open us to attacks that otherwise wouldn't be possible. On Friday, a researcher documented an example of the latter-a vulnerability he found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control.

AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off-limits to the attacker.
So if you can't trust your own AV program anymore, what can you trust?

What one program has a near bullet proof track record of protection that no AV program can touch?
thinking.gif


The solution is right here.
 
#4 ·
This seems a bit the kind of unlikely daisy chain of events that needs to happen before any harm is done:

1. "allows attackers who already have a toehold on a targeted computer to gain complete system control." - the attacker needs to already have somehow gone past the malware scanner anyhow;

2. The user must have somehow gotten other malware on the computer that the scanner does identify;

3. The user must choose to put said identified malware in quarantine instead of simply deleting it.

In any case, it's good to know that six AV makers have already patched the hole and the others are on their way to do so.
 
#5 ·
Quote:
Originally Posted by tpi2007 View Post

This seems a bit the kind of unlikely daisy chain of events that needs to happen before any harm is done:

1.
3. The user must choose to put said identified malware in quarantine instead of simply deleting it.
A lot of AV programs I've used Quarantine by default unless you specify to delete afterwards. It's surprisingly common, I know MSE does.

I don't really understand it myself, I think it has to do with making sure it doesn't delete a critical system file.
 
#6 ·
Quote:
Originally Posted by frickfrock999 View Post

Quote:
Originally Posted by tpi2007 View Post

This seems a bit the kind of unlikely daisy chain of events that needs to happen before any harm is done:

1.
3. The user must choose to put said identified malware in quarantine instead of simply deleting it.
A lot of AV programs I've used Quarantine by default unless you specify to delete afterwards. It's surprisingly common, I know MSE does.

I don't really understand it myself, I think it has to do with making sure it doesn't delete a critical system file.
I've got mine set to ask me (I think it was on by default as it's the first option on the list).
 
#7 ·
How do you guys browse the web with noscript? I've tried using it and it literally can't even open a single web page. So i had to turn it off. Sure you can enable it for a website you "trust" but then why have it at all at that point?

Malwarebytes seems to have done me well over the years. Only wish i could have gotten more lifetime subscriptions back when i still had the chance.
 
#8 ·
Quote:
Originally Posted by IMI4tth3w View Post

How do you guys browse the web with noscript? I've tried using it and it literally can't even open a single web page. So i had to turn it off. Sure you can enable it for a website you "trust" but then why have it at all at that point?
Because you can trust only the domains needed to display the content you want. It's not the domains on which the site you usually want to visit is that will infect you.

To me, the question is, conversely, how do YOU navigate the web withOUT noscript or scriptsafe (for Chrome)?

If you set either up well enough and know how to use them, it'll keep you much safer than MalwareBytes. Prevention > treatment.
 
#9 ·
Quote:
Originally Posted by frickfrock999 View Post

Noscript's powers are too great to be compromised.

You can't kill a God.
I am pretty sure man kind has proven this to be wrong. LOL
 
#12 ·
Quote:
Originally Posted by IMI4tth3w View Post

How do you guys browse the web with noscript? I've tried using it and it literally can't even open a single web page. So i had to turn it off. Sure you can enable it for a website you "trust" but then why have it at all at that point?

Malwarebytes seems to have done me well over the years. Only wish i could have gotten more lifetime subscriptions back when i still had the chance.
Exactly what ToTheSun! said. It takes a bit to set up, but you do it one script at a time. Eg, here on OCN I have huddler, overclock.net, yahooapis, google tag services, and google analytics allowed. That's it. Often, you'll only need one script for sites to funtion. Some sites like instagram that takes 50 someodd scripts, probably aren't worth viewing.

Also, I run 2 browsers. One with noscript, and one that is a compatability browser, for when I'm shopping, or doing school stuff and I don't want noscript stopping something important.
 
#15 ·
Quote:
Originally Posted by ToTheSun! View Post

Because you can trust only the domains needed to display the content you want. It's not the domains on which the site you usually want to visit is that will infect you.

To me, the question is, conversely, how do YOU navigate the web withOUT noscript or scriptsafe (for Chrome)?

If you set either up well enough and know how to use them, it'll keep you much safer than MalwareBytes. Prevention > treatment.
Malwarebytes + AdGuard Premium.
tongue.gif


But yes I can agree that Malwarebytes alone is simply not enough, especially when connecting to certain Russian sites shall we say.
wink.gif

Quote:
Originally Posted by IMI4tth3w View Post

How do you guys browse the web with noscript? I've tried using it and it literally can't even open a single web page. So i had to turn it off. Sure you can enable it for a website you "trust" but then why have it at all at that point?

Malwarebytes seems to have done me well over the years. Only wish i could have gotten more lifetime subscriptions back when i still had the chance.
They can still be found on eBay if you're willing to pay the price. (e.g. here's one)
 
#17 ·
Quote:
Originally Posted by IMI4tth3w View Post

How do you guys browse the web with noscript? I've tried using it and it literally can't even open a single web page. So i had to turn it off. Sure you can enable it for a website you "trust" but then why have it at all at that point?

Malwarebytes seems to have done me well over the years. Only wish i could have gotten more lifetime subscriptions back when i still had the chance.
If I get to a website that doesn't function with noscript running I question whether I really want to see whatever their website shows anyways. If the answer is yes then I'll temporarily allow the main topsite in question. If it still doesn't function after that then I seriously question whether they're worth my time. If the scum want to risk my computer all so they can harvest personal data about me and shove lies and ads in my face that I'm not going to fall for anyways then they can eat dirt and I don't need to see their garbage website anyways. If I'm trying to buy a product and they can't even make their website function correctly without a billion scripts running then I don't want their trash product anyways.

Websites like newegg are a good example. You can get most functionality by just allowing newegg.com (.ca), but there are a few extra scripts in there to allow things like pictures of products or the review blurbs. For a site I really want to check out and I know is probably safe like newegg I'll grant allowances to different scripts until the website functions correctly. But I still don't see a need to allow garbage like adsense or whatever. Or amazon, allowing amazon.ca works fine, but if I want to get the mouseover closeup view of products there's another script in there that needs to be allowed.

A major website like amazon can have like 15 or 20 different scripts all told, but you only need to allow a handful to get the website to function. It can be a chore to dig through them all to find the ones that you need but so be it.

And for things like doing job related orientations online at places like shells website where having noscript running will just screw everything up I have a clean and basic chrome that I can fire up without any addons, that I use for very specific and limited instances where I "know" I'm safe.
 
#18 ·
Quote:
Originally Posted by SpankyMcFlych View Post

If I get to a website that doesn't function with noscript running I question whether I really want to see whatever their website shows anyways. If the answer is yes then I'll temporarily allow the main topsite in question. If it still doesn't function after that then I seriously question whether they're worth my time. If the scum want to risk my computer all so they can harvest personal data about me and shove lies and ads in my face that I'm not going to fall for anyways then they can eat dirt and I don't need to see their garbage website anyways. If I'm trying to buy a product and they can't even make their website function correctly without a billion scripts running then I don't want their trash product anyways.

Websites like newegg are a good example. You can get most functionality by just allowing newegg.com (.ca), but there are a few extra scripts in there to allow things like pictures of products or the review blurbs. For a site I really want to check out and I know is probably safe like newegg I'll grant allowances to different scripts until the website functions correctly. But I still don't see a need to allow garbage like adsense or whatever. Or amazon, allowing amazon.ca works fine, but if I want to get the mouseover closeup view of products there's another script in there that needs to be allowed.

A major website like amazon can have like 15 or 20 different scripts all told, but you only need to allow a handful to get the website to function. It can be a chore to dig through them all to find the ones that you need but so be it.

And for things like doing job related orientations online at places like shells website where having noscript running will just screw everything up I have a clean and basic chrome that I can fire up without any addons, that I use for very specific and limited instances where I "know" I'm safe.
Holy crap. My thought process is 100% the same, I just didn't want to write it all out. Thank you for saving me the effort.

Forbes is a perfect example of garbage not worth viewing.

Same on the Chrome too.
 
#19 ·
Holy hell Forbes is nigh unviewable without an adblocker of some sort. It's the poster child for why adblockers exist in the first place. ExtremeTech is another good example of ads gone haywire.

That said AdGuard does a wonderful job of keeping them all at bay and making the sites readable again.
 
#20 ·
the ads scripts are mostly for detecting that the ones viewing it are users instead of bot scripts to ramp up viewing count.
but sometimes dubious ads provider also side-loads other scripts to get the ads more "obvious".
 
#21 ·
I feel like this is said to death in just about every thread dealing with AV software, but I don't feel the need to use any. I just use my head when it comes to stuff, like using an adblock and noscript, and not downloading sketchy stuff. Haven't had a virus in years.
 
#22 ·
I delete anything that goes into my quarantine (assuming it's not something legitimate). Who would win: genius security researcher or my OCD of immediately deleting malware
tongue.gif
. Obviously there are other potential security holes in AVs, but this one only seems to affect those who don't care.

Edit: Oh I see, it would be restored automatically. Should've read more carefully. Still, that gives you a massive headstart in removing the malware (knowing it exists on your system).