EDR and antiviruses have learned to delete system files and drivers

Safebreach Labs Och Yair > A few vulnerabilities that allowed him to turn EDR products and antiviruses into vipers. Vulnerable security products can delete arbitrary files and catalogs in the system and make the computer unsuitable for use.

Weiper, called Aikido , abuses the expanded privileges of EDR and AV products in the system, relying on the appliances, which are relying on that contain specially created paths to initiate deleting legal files.

“Weiper works with the permissions of an unwilling user, but at the same time it can delete almost any file in the system, even system files, and make the computer completely inoperative. All this happens without the implementation of the code, which makes the waiper completely undetected,” the researcher explains.

Aikido Viper uses the Windows function, which allows users to create links at the points of connection, which are similar to symbolic links (Simlinka), regardless of the privileges of the account.

Yair explains that the unprivileged user cannot delete system files (.Sys), because he has appropriate permits. However, the analyst forced the security product to delete the files by creating a appliances catalog and placing the path for deleting into it (for example, C: TEMP Windows System32 Drivers and C: Windows System32 Drivers).

).

The researcher created a malicious file, placed it in a appliances catalog, but did not indicate a descriptor for him. Not knowing what programs have the right to change the file, EDR/AV requested a reloading system to eliminate the threat. Then the researcher deleted the bait catalog. In addition, when rebooting the EDR/AV system, it fills the disk to zero by random bytes several times to guarantee that the data will be rewritten and erased.

Explitude also circumvents the function of controlled access to folders in Windows, designed to prevent falsification of files inside secure folders – EDR/AV has permits to delete these files.

Of the 11 security products, 6 turned out to be vulnerable to this exploit. During the tests, Eicar-Test-File was created instead of a real malicious file that is deleted by EDR/AV.

The Yair reported about the defects of security to the suppliers. 3 identifiers CVE were released:

/Media reports cited above.