Friday, May 2, 2025
HomeCVE/vulnerabilityAnti Virus Software's Design Flaw Leads to Bypass Windows Local Privilege

Anti Virus Software’s Design Flaw Leads to Bypass Windows Local Privilege

Published on

SIEM as a Service

Follow Us on Google News

A new Antivirus design flaw has discovered and named as AVGater for the Windows Local Privilege Escalation Vulnerability which is presented in many antiviruses that can be abused and bypassed using restore from quarantine Method.

Quarantine is a special storage suspicious (probably infected) objects used by Antivirus engine. A function of antivirus software that isolates infected files on a computer’s hard disk. Files put in quarantine by antivirus engines are no longer capable of infecting their hosting system.

Also Read:  Windows Defender Antivirus Bypass Allows Any Malware to Execute on a Windows Machine

- Advertisement - Google News

This restoring file from an antivirus future called quarantine leads to exploited by any local user and escalate the Windows Local Privilege to gain full control over the endpoint.

An Antivirus Working Point of view, it has categorized with 3 type of privileges which has its own functionality in terms of Windows access with user mode and kernel mode

  1. First one is a user interface that can be accessed by unprivileged users to the functions such as virus warning, settings, system states etc that will be working with user mode.
  2. The second one is Windows Services that will be used by Antivirus for monitoring file access, Virus Quarantine and updating with same user mode.
  3. The third one is kernel component that is used to perform some core functions such as scanning, Remediation, Rootkit Detection Etc.

So what Next with AVGater to Escalate Windows Local Privilege

In this case, unprivileged users don’t have much power to performing more accessible and they only have the option to working with the user interface. but windows services have some more ability to do than unprivileged users.Kernal component, as usual, has the superpower to do everything.

Here AVGater will manipulate the Restoring Process from antivirus quarantine to any arbitrary filesystem location.

According to Researcher, In This case, restore process is most often carried out by the privileged AV Windows user mode service. 
Hence, file system ACLs can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system.

This will be achieved by Tempering the NTFS directory junctions and Restore process will be successfully Executed.

A command line interface called Mklink will help to create symbolic links for directories that can be created by anyone.

So once Malicious File moved to quarantine location by Antivirus engine, an unprivileged user can restoring the previously quarantined file to any other destination we want.

 
” Basic DLL Working order, By restoring the previously quarantined file, the SYSTEM permissions of the AV Windows user mode service are misused, and the malicious library is placed in a folder where the currently signed in user is unable to write to under normal conditions.”

A non-admin user would not be able to copy files inside this folder, but antivirus programs work under SYSTEM privileges, which means the file restored from quarantine will be sent to that folder without triggering errors or alerts.

Finally, it will be loaded into privileged windows process and malicious code will be again back to normal Location and local non-admin attacker gained full control over the affected endpoint. Researcher said.

We do have Proof of concepts for this Local privilege escalation flaw for Antivirus Vendors. POC was Successfully tested against Emsisoft Anti-Malware and Malwarebytes.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series...

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers...

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...

NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...

CISA Issues Alert on Actively Exploited Apache HTTP Server Escape Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a...

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...