Check whether your antivirus is vulnerable to exploitable RWX addresses

[Batu69]

AV Vulnerability Checker is a free program for Windows that determines whether antivirus software installed on the computer is vulnerable to exploitable constant Read-Write-Execute (RWX) addresses.

 

Vulnerabilities are bad, regardless whether they are found in the operating system or programs running on it. One of the worst kind affects security software, programs that are designed to protect the system from attacks.

 

Ensilo, the company behind the product of the same name that "offers a real-time exfiltration prevention platform against advanced targeted attacks", revealed the security vulnerability that is affecting various antivirus products in a recent blog post.

 

It discovered the vulnerability while investigation a collision of the company's own enSilo product with AVG antivirus software.

 

Vulnerable anti-virus solutions "allocate a memory page with Read, Write, Execute permissions at a constant predictable address" and for various user-mode processes including those of web browsers or Adobe Reader.

 

The vulnerability enables attackers to bypass certain Windows mitigations against exploits, for instance ASLR or DEP since the attacker knows where to write and run code.

 

The company found the vulnerability in several antivirus products including McAfee Virus Scan for Enterprise version 8.8, Kaspersky Total Security 2015 and AVG Internet Security 2015.

 

Both AVG and McAfee appear to have fixed the issue in recent updates already.

 

 

Ensilo released a program for Windows that tests other antivirus solutions for the vulnerability. The tool is available on Github.

 

1. Click on download on Github and download the archive to the local system.
2. Extract the archive afterwards to a local directory.
3. Run AVulnerabilityChecker.exe.

 

The program tests the vulnerability using web browsers on the system. For it to work, you need to have a web browser open, and close it when the program requests you to do it.

 

Then you need to restart the web browser and open at least two new tabs in it. The program will then check whether the vulnerability can be exploited on the system.

 

Any memory region that exists in both scans is likely predictable and the program indicates this by listing those addresses and processes.

 

What it won't do is reveal the security solution that is vulnerable to the attack. The researchers suggest that you use a debugger to find that out, but if that sounds too complicated, you may want to disable security software instead and re-run the tests to find the culprit or culprits this way.

 

If you find out that a product that you run is vulnerable, there is little that you can do about it. After making sure that it is up to date, you may inform the developer of the program about the vulnerability.

 

Article source

[straycat19]

Checked BitDefender, Kaspersky, and Norton on various computers and none of them were vulnerable.  However, as I said before on other vulnerability subjects, most exploits require two or more actions to take place simultaneously and the chance of that happening on a given computer are beyond any number the majority of people would understand.  Something like 1 in 1,000,000,000,000,000,000,000,000,000.  When exploits/vulnerabilities are tested it is done under controlled circumstances.  In other words, we setup the system to do what it needs to do so we can exploit it at an exact moment in time.  I won't tell you how many times this fails before it works or the lengths some people will go to in order to find/prove an exploit, yet their final wording makes it sound like every user in the world is going to be subject to it if something isn't patched or changed.  Kind of like Chicken Little yelling the 'Sky is falling', it never has, it isn't, and it never will.

 

[vibranium]

All the better to sell the "solution" with, my dears ....

[kantry123]

ESET and KIS 16 Both are Non-Vulnerable!! yeyii!!

 

regards

[DLord]

SEP deleted the file as virus before running it!