Discussion in 'The Guru's Pub' started by vbetts, Sep 21, 2018.
This deserves to be put in the fail thread:
The PoC is leaving me speechless.
Sorry, but "local user" invalidates all of that.
I am just amazed about the way ... just by my favorite script language.... batch. You could run that in DOS.
Regardless of privileges it is a fail to be prone to such an "amateur" attack. "Order the av to delete itself." ... I cannot say I heard that in a while.
You can't run it in DOS because there are not symlinks and junctions in DOS.
I don`t get your excitement. Any user can simply uninstall AV - what is the difference?
The difference is you create a virus to delete a file.
Place the virus there (eicar) and create a symlink for it. While the AV is scanning the symlink is effective and the antivirus deletes itself instead of the malware.
Some av have self protection so critical processes cannot be deleted. But then most av software runs at SYSTEM level.
And an av may delete itself, so that's bypassed from what I understand.
I am so amazed because this is so easy to reproduce.
For example if you bomb the av by thousands of viruses at once in one big archive which you extract, you can run most of it because the av cannot keep up with scanning.
I really like ITsec. That's all.
Virus is not a "local user". Completely another story.
It's the same like I guess we all did earlier some time.
Patting someone's back, and if he turns around we decently point to some innocent bystander to get the load.
Fuji no yama
From Amazon, just FYI ....
Failure on the phone ,while paying respect. Yeah some people do not care at all.