Security News > 2020 > April > Researchers Turn Antivirus Software Into Destructive Tools
Most antivirus software performs a "Real time scan" of unknown files saved to disk and, if considered suspicious, these files are either moved to a secure location to be quarantined, or deleted from the system.
The issue, the researchers say, resides in the fact that there's a small time window between the file scan and the cleanup operation, and that almost all antivirus software performs operations with the highest level of authority within the operating system.
"In our testing across Windows, macOS & Linux, we were able to easily delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS," RACK911 Labs says.
"In some of the antivirus software that we exploited, timing wasn't important at all and a simple loop statement of running the exploit over and over was all that was needed to manipulate the antivirus software into self-destructing," the researchers note.
"It's now spring of 2020 and every antivirus vendor that we have contacted has had at least 6 months to fix the security vulnerabilities, we feel the time is right to bring our research to the public. [] It's our hope that antivirus vendors will rethink how file operations take place under user accessible directories. Whether it's Windows, macOS or Linux, it's extremely important that file operations happen with the lowest level of authority to prevent attacks from taking place," RACK911 Labs concludes.