Security company Rack911 Labs has identified one vulnerability, actually quite trivial, which concerns the vast majority of the best known antivirus software and that could allow when properly exploited to put the antivirus itself out of play or use it as a destructive tool for the system it should protect.
Source: Rack911 Labs
The flaw mechanism provides the ability to exploit that time that elapses between the detection of a threat by the antivirus and the cancellation operation. Most antivirus software works the same way: when an unknown file saved on the system disk, the antivirus scans it in real time to see if it poses a threat. If so, it is quarantined and moved to a safe area pending further instructions, or is simply discarded.
By taking advantage of this time window e directory junction functions in Windows and symlinks in Linux or macOS (both are used to create links between directories or links to files), it is possible to make the antivirus perform malicious operations. The mechanism works because the creation of links does not require administration privileges, while the antivirus – which normally operates, due to the nature of its functions, with high level permissions – is made to perform those operations, such as deleting files, which otherwise would require high-level authorizations. According to what Rack911 Labs explains, the flaw is easily exploitable and has illustrated two proof of concept in Windows and in macOS.
Rack911 Labs informs however that after the disclosure of the flaw, the various security companies have issued, for the most part silently, updates for their antiviruses to solve the problem. It is therefore advisable verify that your antivirus is updated to the latest version: a habit that should be exercised periodically.
