Vulnerability in Antivirus Products Allows Privilege Escalation

Numerous antivirus products are affected by a vulnerability, dubbedAVGater, that allows a local threat actor to leverage the “restore from quarantine” function to send previously detected malware to sensitive areas of the affected user’s operating system, giving the perpetrator boot persistence and elevated privileges. All vendors of tested antivirus products were notified of this vulnerability and some have already issued software updates, including: Trend MicroEmsisoftMalwarebytesIkarus, and ZoneAlarm. Other affected vendors have expressed their intent to release software updates in the near future. The NJCCIC recommends all users and administrators of the affected antivirus products review security auditor Florian Bogner’s research, update their software immediately and, in enterprise environments, implement controls that prevent users from restoring files from quarantine. We also would like to remind all users to always keep their antivirus products updated and running at all times.