Popular Antivirus Software Windows Defender, Avast, AVG, Put You in Danger: Report

Cybersecurity researcher Or Yair claims that many popular pieces of anti-virus software, such as Microsoft, TrendMicro, and Avast can be used to delete data on your system. These anti-virus programs are widely used around the globe, which is why it is an alarming report. 

In a Proof-of-Concept document called “Aikido”, a cybersecurity firm SafeBreach, explains how the exploit works using what is called a time-of-check to time-of-use (TOCTOU) method. 

Aikido is a Japanese martial art that allows you to use the force and movement of your enemy against them. 

How it Works

According to the document, the vulnerability can be used for a variety of cyber-attacks called “Wipers”, which are often used in offensive war situations. A wiper in cybersecurity is a type of malware that aims to erase the hard drive of the computer it infects. It also maliciously deletes data and programs.

The slide deck explains that the exploit redirects the endpoint detection program’s “superpower” to “delete all files, regardless of their privileges”. The complete process outlines creating a malicious file in “C:\temp\Windows\System32\drivers\ndis.sys”.

The exploit then holds the handle and forces the “AV/EDR to postpone the deletion until after the next reboot”, so it is harder to detect. 

Then, it deletes the “C:temp” directory and creates a junction in “C.temp –> C :\” before rebooting the machine. 

Affected Antivirus Software

Fortunately, only a few of the most well-known antivirus brands were affected, as per Aikido. 

The researcher prepared a slide deck that showed Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus as examples of the vulnerable programs. 

Some products, such as Palo Alto, XDR, Cylance, CrowdStrike, McAfee, and BitDefender, are still safe.