Anti-virus programmes. They’re the key to protecting your computer. As long as you have one in place, you can rest easy, knowing you’ve done your bit to protect yourself from malicious attackers, right? Well, I would certainly recommend installing a reputable anti-virus programme but checking before actually installing it is as vital as implementing it in the first place.
Why, you may ask. Well, on the 10th of November 2017, a researcher documented an example of the problems this addresses—a vulnerability he found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control.
AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off-limits to the attacker. Six of the affected AV programs have patched the vulnerability after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks.
The attack worked first by getting Bogner's malicious file quarantined by the AV program running on the targeted computer. The pen-tester then exploited vulnerabilities in the AV programs that allowed unprivileged users to restore the quarantined files. He further abused a Windows feature known as NTFS file junction point to force the restore operation to put his malicious file into a privileged directory of Bogner's choosing. The technique took advantage of another Windows feature known as Dynamic Link Library search order. With that, Bogner's malware ran with full privileges.
So how do you prevent creepy attacks like this? Basically, you MUST ensure that all the computers on your corporate network run limited privileges on a strictly need to do basis. Anything that an account/device doesn’t explicitly need to do or have access to should be restricted. Moreover, you should always install anti-virus programmes which have real-time analysis and whitelist programmes that can shut off avenues for viruses as quickly as possible before they can exploit gaps in your defences. As a general rule, people who aren't likely to be narrowly targeted in attacks are probably better off running Windows Defender or another name-brand AV engine. Journalists, lawyers, and activists, on the other hand, should weigh the benefits and risks on a case-by-case basis.