A zero-day attack called Double Agent can take over antivirus software on Windows machines and turn it into malware that encrypts files for ransom, exfiltrates data or formats the hard drives. Alex Mathews, lead security evangelist at Positive Technologies commented below.
Alex Mathews, Lead Security Evangelist at Positive Technologies:
“Many people do not consider antivirus tools to be a threat. However, as with any complicated programs, antiviruses are inherently vulnerable. Because antivirus processes are trusted and run in privileged mode with extensive access right, they have become an appealing target for attackers, as their exploitation can lead to system compromise. The swelling numbers of exploits found and published in exploit-db and other resources indicate that this is a growing problem.
“Despite its vulnerabilities, we cannot completely abandon the use of antivirus software, so we need to learn how to protect it. An effective protection system should demonstrate detection accuracy and risk minimization.
“For example, scanning performed by several antivirus engines significantly increases accuracy and speed of threat detection. Some online services like VirusTotal can rise to the challenge but require uploading your files, which could lead to info leakage to third parties. It makes sense to perform such scans on a local server, which eliminates any involvement of outsider applications.
“In addition, security risks may be mitigated if all suspicious files are examined in an isolated and secure environment. We should understand that modern malicious software is able to analyze a target environment and either bypass sandboxes or stay hidden. That is why it is recommended to employ honeypots as they mimic the real system making it easy to observe malicious behaviour for a prolonged period of time without being noticed.
“However, even after malware is detected, an antivirus is not able to trace back all the objects that were affected by it. This means that a security system should support forensic analysis functionality.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.