Vulnerabilities could transform antivirus, EDR systems to data wipers

Microsoft, TrendMicro, Avast, SentinelOne, and AVG endpoint detection and response and antivirus systems could be exploited to act as data wipers, BleepingComputer reports. SafeBreach researcher Or Yair was able to compromise the EDR and antivirus solutions by creating a malicious file with the handle left open and leaving processes with write and delete permissions undefined. Such a process would be followed by a system reboot for releasing the handle that would allow file deletion. "This exploit is also effective for a ransomware protection feature in Windows called the Controlled Folder Access. This feature prevents untreated processes from modifying or deleting any files contained inside one of the folders listed in the Protected Folders list. However, since an EDR or AV is the most trusted entity on a system, this feature does not prevent them from deleting these files," said Yair. Security systems by CrowdStrike, Palo Alto Networks, McAfee, Bitdefender, and Cylance are not vulnerable to the new attack. Meanwhile, all impacted vendors already issued patches to address the vulnerability.