Free AV Vulnerability Checker–Instant check whether your antiviral is vulnerable to remote Read-Write-Execute addresses.

Published on December 12, 2015 By DrJBHL In Personal Computing

So…this is something you really want to know, and thanks to Tomer Bitton and Udi Yavo, you can find out for free. The reason you want to find out is that RWX vulnerabilities are the worst…since they allow remote code execution. Also, AVs aren’t the only target. Data Leak Preventers (DLPs) are also. There are 400 million AV users, so…there might be many folks with a false sense of security. Tomer and Udi’s freebie will check any AV you are using for this vulnerability.

The company found the vulnerability in several antivirus products including McAfee Virus Scan for Enterprise version 8.8, Kaspersky Total Security 2015 and AVG Internet Security 2015. Both AVG and McAfee appear to have fixed the issue in recent updates already.” – gHacks

The vulnerability?

“The vulnerable Anti-Virus products allocate a memory page with Read, Write, Execute (RWX) permissions at a constant predictable address. This allocation occurs for various user-mode processes belonging to third party applications such as browsers and Adobe Reader.

As mentioned in our March AVG release, this flaw significantly diminishes the efforts that the threat actor needs in order to exploit a third party application. In turn, this can lead to the compromise of the underlying Windows system.

How? Microsoft places many Windows mitigations against exploits, for instance the randomization of memory (ASLR) and preventing data from running in memory (DEP). Since the memory page is at a constant predictable address, the attacker can know where to write and run the code. With the memory allocation set to RWX, that code can be executed, essentially defeating those hurdles that Windows placed in front of threat actors.” – enSilo

You can pick the freebie up here: https://github.com/BreakingMalware/AVulnerabilityChecker

So…you extract the zip and then open the .exe. Close your browser, and open at least two tabs. You’ll get an instant report in the DOS window.

Worth every cent…yeah, it’s free, but honestly I recommend running the test on your AV.

Sources:

http://www.ghacks.net/2015/12/10/check-whether-your-antivirus-is-vulnerable-to-explotable-rwx-addresses/

http://blog.ensilo.com/the-av-vulnerability-that-bypasses-mitigations

Comments

Uvah

on Dec 12, 2015

I dl'd the tool and ran it. AVG has fixed the issue, my laptop is not vulnerable. Thank you Doc.

Jafo

on Dec 12, 2015

Most likely I'm not vulnerable.....

....sounds vaguely OK....

teddybearcholla

on Dec 12, 2015

Thank you Doc! First, Nortons killed it...but I said it was an ok exe. so brought it back. When it did it's thing, it said most likely not vulnerable.

And if anyone laughs that I use Nortons, I will make sure Santa knows how naughty you are and no presents!

DrJBHL

on Dec 12, 2015

Drat! Wanted some coal...oh well.

benmanns

on Dec 12, 2015

teddybearcholla

reply 3

Thank you Doc! First, Nortons killed it...but I said it was an ok exe. so brought it back. When it did it's thing, it said most likely not vulnerable.

And if anyone laughs that I use Nortons, I will make sure Santa knows how naughty you are and no presents!

Norton Rep center prolly killed it on the first launch, the

of rep. center is quicker than lucky lukes shadow at times, which can have pros and cons.
Im prolly one of the "very" few people here that still has good words for Symantec products such as Norton AV 2014, which sadly isnt standalone anymore :C
I switched to Bitdefender on recommendation, it is doing the same stuff as norton did but does not provide as much information nor as much of control as the
N. AV 2014 offered.

It killed the execut(e)able

Uvah

on Dec 12, 2015

teddybearcholla

reply 3

that I use Nortons

Ooohhh.....I'm tellin'.

Jafo

on Dec 12, 2015

benmanns

reply 5

Norton Rep center prolly killed it on the first launch, the of rep. center is quicker than lucky lukes shadow at times, which can have pros and cons.Im prolly one of the "very" few people here that still has good words for Symantec products such as Norton AV 2014, which sadly isnt standalone anymore :CI switched to Bitdefender on recommendation, it is doing the same stuff as norton did but does not provide as much information nor as much of control as the N. AV 2014 offered.It killed the execut(e)able

When you tire of Bitdefender you can do what I did...move on to Kaspersky.

It didn't kill the exe...though it used to kill the Sonique installer ...

Borg999

on Dec 12, 2015

teddybearcholla

reply 3

I'll come out of the closet too, and admit I use Norton. Since installed, I've never been nailed by malware of any kind, and no noticeable slow down of my system either. No conflicts, no false positives, no crashes...

I used to use Kaspersky, but I found the program and the forums to be cryptic. - Not for a non-techie...

teddybearcholla

on Dec 12, 2015

DrJBHL

reply 4

Drat! Wanted some coal...oh well

... noted!!

benmanns

reply 5

Im prolly one of the "very" few people here that still has good words for Symantec products such as Norton AV 2014, which sadly isnt standalone anymore :C

...I've used Nortons for a long time. No problems that I can remember.

Uvah

reply 6

Ooohhh.....I'm tellin'.

... coal? hehehe!!

Borg999

reply 8

I'll come out of the closet too, and admit I use Norton

....

Sorry for hijacking your post, Doc!

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!