In a Colossal Irony, Popular Antivirus Programs Are Themselves Vulnerable to Breach

Irony Antivirus Programs

Malicious programs commonly use more benign applications as a vector for their attacks. A deadly variant of Blackenergy was able to infect users’ computers by taking advantage of vulnerabilities in MS Word, for example. RawPOS disguises itself as an unassuming Windows process. Other programs might make use of your browser, your email client, and so on. All of these potential intrusions, you might think, can be mitigated by the endpoint protection client running on your desktop—but what if that program could also be used against you?

As it turns out, popular antivirus programs are totally vulnerable to hackers. Widely-used enterprise endpoint protection products from Symantec have been found to contain high-level vulnerabilities that could allow hackers take control of a user’s system—without requiring any interaction from the user.

A Mechanism for Infection

Here’s how it works: In order to defend endpoints, Symantec scans all incoming and outgoing traffic from a particular system. In an ideal world, Symantec sees the user receive an email, recognizes that as incoming traffic, scans it, recognizes a malware binary, and quarantines it. If that malware is designed to take advantage of the Symantec vulnerability, however, something different happens.

Malware is usually encrypted in order to hide its signature, so to recognize it, Symantec needs to partially unpack its compression using an emulator. Herein lies the problem—Symantec unpacks potentially infected files inside the operating system kernel. A proof-of-concept virus was able to take advantage of this and use a buffer overflow attack to take control of the system. Again, since all I/O traffic is scanned automatically, users wouldn’t have to open an infected email or click on a suspect link in order to be exposed to malware.

But Wait, There’s More!

Similar vulnerabilities have been traced back to several other antivirus programs that make use of emulators that unpack malicious code. Whenever antivirus programs unpack potentially malicious software without sufficient segmentation, there’s a chance for that software to corrupt the OS and take over. What’s more, although the affected Symantec products were immediately patched, some products will require those patches to be manually applied. This greatly increases the risk that an unpatched system will eventually become a vector for a threat.

How to Guarantee Immunity

SentinelOne’s Endpoint Protection Platform does not rely on an emulator that unpacks code to recognize malware. Our behavioral recognition engine instead taps all of a system’s underlying processes and scores them according to their potential for risk. Once a certain risk threshold is exceeded, the process and its associated program are flagged as malicious, and a number of actions are automatically taken to roll back any potentially dangerous changes and identify the “Patient Zero” endpoint for forensic analysis.

To learn more about SentinelOne and how its dynamic behavioral detection techniques can help secure your endpoints, check out our Next Generation Endpoint Protection Buyer’s Guide.