Most Antivirus Not Secure, Exploitable: Report

Brandon Dimmel's picture

For many users, installing antivirus software is one of the first things to do after purchasing a new computer. But one security researcher suggests that today's antivirus programs are anything but effective; in fact, he claims many antivirus programs are filled with security flaws.

Fourteen Antivirus Products Vulnerable, Researcher Claims

Joxean Koret is a researcher at COSEINC, a Singapore-based security firm. Over the past year, he's carefully analyzed a wide range of antivirus products in search of security vulnerabilities.

Earlier this month Koret presented his findings at the SyScan 360 security conference held in Beijing, China. In that presentation, Koret said that he found dozens of serious security flaws that could be exploited both remotely and locally. In total, Koret says that 14 of the antivirus products he examined were riddled with these vulnerabilities.

Koret says that because antivirus engines are given the highest system privileges on a system, exploiting these programs can give third parties (such as hackers) full system access to do as they please. In essence, hacking an antivirus program can give an attacker access to the most sensitive parts of a system.

Koret also noted that too many antivirus vendors fail to digitally sign their virus definitions and updates through encrypted web (HTTPS) connections. This approach can allow a hacker to execute a man-in-the-middle attack, which involves injecting malicious files during an update.

Koret's list of vulnerable antivirus products is a long one. In his SyScan presentation, he pointed to serious security flaws in products from Panda Security, Bitdefender, Kaspersky Lab, ESET, Sophos, Comodo, AVG, IKARUS Security Software, Doctor Web, MicroWorld Technologies, BKAV, Fortinet and ClamAV, Avira, Avast, F-Prot and F-Secure. (Source: tomsguide.com)

Koret admitted that he had not told all of these firms about his findings because he feels these firms should be regularly auditing their own programs to find vulnerabilities.

IT Admins Should Evaluate Antivirus Software Before Deploying

Carsten Eiram, chief research officer at security firm Risk Based Security, says he examined Koret's presentation and felt the COSEINC researcher's findings made sense. However, Eiram said people shouldn't assume that antivirus programs are useless; instead, he feels Koret's findings should prompt IT administrators to more carefully evaluate antivirus products before deploying them.

"I won't go to the extent to say that AV software is pointless," Eiram said. "However, system administrators should carefully select which security products they buy as well as which features are enabled -- especially when it comes to content inspection." (Source: pcworld.com)

You can view Koret's presentation (in PDF form) by clicking here.

What's Your Opinion?

Do you feel confident in the antivirus product installed on your system? Do you have an antivirus subscription or do you use a free service, like Microsoft Security Essentials, Avast!, or Grisoft AVG? Has your system ever been infected with malware, even though you had antivirus software installed?

Rate this article: 
Average: 4.4 (13 votes)

Comments

bigjohnt's picture

The researcher that is quoted is not at all qualified to comment on anti-malware products. (tomsguide.com)

DavidFB's picture

This was a test of Linux AV, if you bother to review the presentation. It was also not a systematic review of popular products but rather what was "available" for that platform.

While he makes some good points, I'm sure many of the Linux versions are less polished. It's also clear that the products he notified addressed concerns. But he didn't bother to notify them all yet announces his results to the world and thus the hacker community. The presenter himself is thus unprofessional and contributing to the problem.

I'm finding the quality of articles on this site have been deteriorating. Some, like this are more like a gossip column with inflammatory headlines that can mislead people.

AV programs may not be perfect but going without would be a stupid idea. I doubt system administrators would take this seriously. Of course they review and test.

Dennis Faas's picture

I did bother to read (not skim) all 90 pages, and while the author does mention using Linux as his test platform, he very specifically mentions DLLs, EXE and RAR files and Windows Registry keys in his report - none of which are part of Linux. So, to say that this report is only about Linux Antivirus is wrong. There are also screen captures referencing MS Windows processes. MS Windows specifics start at page 31, and carry on way through to page 76. Pages 76-83 focus specifically on Linux.

Quote:

On page 14: "I downloaded all the AV engines with a Linux version I was able to find. The core is always the same with the only exception of some heuristic engines. I also used some tricks to run Windows only AV engines in Linux." (It's possible his reference to 'core' means cross-platform, meaning that most Antivirus engines operate similarly regardless of operating system. I'm no antivirus expert, but imagine that would be the case).

On page 87 'recommendations' he suggests running antivirus tests in an emulator or virtual machine - which is most likely why he chose to do his testing under Linux. It's much more secure than Windows. Quote: "[Always] run dangerous code under an emulator, vm or, at the very least, in a sandbox."

al's picture

Anti virus companies make bold claims like 'fully protected'. It should be illegal to make a claim which is not delivered. How are we to know whether a popup message from our antivirus program saying 'do you give so and so permission to do such and such' is bona fide or not? We should not be bothered with the decision, this is what we are paying for, often quite handsomely, that it will make the intelligent decision for us because we are not the expert. Older people especially can get extremely stressed about these things, even to the point of tears. We need to be able to trust and not worry. This is why so many wealthier people take the MAC route which is less vulnerable. When antivirus fails to deliver upon its promise, and causes us some time and trouble, do we have recourse for compensation, plus damages considering the inconvenience and lack of our ability to function properly during the down-time? I guess they reckon the 50 or 100 dollars it cost us is not worth our while fighting for, so the lies continue, as such bold claims are good for bringing in business. Finally is this a Microsoft conspiracy? Did they make Windows vulnerable on purpose and have a deal with some of the antivirus firms, or did the law even enforce it to give 'fair competition', which also go for some of the basic windows functions which seem to be lacking on purpose to make you want to buy something stronger? It's all about money with the big businesses but causes us the punters a huge amount of wasted time and stress and the end result is that it eats away at the performance and output of average punter. I feel robbed and cheated by all this antivirus and incomplete operating system fiasco for all these years. Bill Gates has a lot to answer for in my opinion even if he has made effort to put profits into good causes, in my opinion that should have been our decision not that of the controller of hugely overpriced and under-delivering software monopolies. [Operating systems are categorised as software in that example]. I hugely begrudge the many scores of hours of my life, over the last 20 years often into the early hours getting very tired up-keeping vulnerable systems which continually need repairing and updating. Not as bad now as used to be but still I find the level of potential vulnerabilities grossly unsatisfactory. Having said that, my current combination of Malwarebytes pro and Webroot seems to keep things clear and smooth, together with an anti keylogger and the bank supported Rapport software, but now we hear that the very things we use to defend ourselves could be the key which is used against us, rather like buying expensive locks, giving your keys to your kids and the kids leaving the keys lying around. It's a stressful world. What is the answer....we buy Macs?

gi7omy's picture

Are you really that naive as to believe that Macs are magically virus proof by nature?

As anyone in the computer business will tell you, the one and only reason that Macs don't have much of a problem with virii is their market share is so small as to make them virtually invisible in the greater scheme of things. They are as vulnerable to a virus as any Windows machine. If they became more popular (well that's a long way off unless Apple reduce the extortionate price on them) then there will be an increase in virii aimed at them

gilh's picture

I jumped to the end of the 90 pages.

Not much there for AV users.
Hope we see some followup on where we can go for AV.