Security News > 2020 > December > Vendors Respond to Method for Disabling Their Antivirus Products via Safe Mode

Vendors Respond to Method for Disabling Their Antivirus Products via Safe Mode
2020-12-15 14:27

Microsoft and several major cybersecurity companies have responded to a researcher's disclosure of a method for remotely disabling their antivirus products by leveraging the Windows safe mode.

Researcher Roberto Franceschetti last week published an advisory, a blog post, a video and proof-of-concept exploits demonstrating a method that could be used by an attacker to disable anti-malware products from Microsoft, Avast, Bitdefender, F-Secure and Kaspersky.

The researcher showed how an attacker with elevated privileges could run a script that locally or remotely disables an antivirus by rebooting the device in safe mode and renaming its application directory before its associated service is launched.

"The whole point of implementing tamper protection on antivirus files, folders and Windows servers is to prevent even local admins from disabling AV protection. Have any of you tried to stop your AV services? You can't! That's the whole point of my exploit," he wrote.

Franceschetti said there is not much antivirus vendors can do to prevent attacks, but noted that products from Bitdefender and Kaspersky did block some versions of his exploit - although he claimed he bypassed the detection by tweaking the exploit.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/wieSAAViVvs/vendors-respond-method-disabling-their-antivirus-products-safe-mode