AV Gate abuses Anti-Virus Quarantine

A new technique known as AV Gate has been discovered that allows a physical user to restore quarantined files and move them to privileged areas. This technique can be used without administrator rights and can be used for privilege escalation.

Threat ID:: CC-1782
Category:
Threat Severity:: Low
Threat Vector:
Published:: 15 November 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All Versions

Threat details

By restoring quarantined files, which are likely to be malware themselves, this technique reintroduces the risks associated with theses files. An attacker also has the ability to write to the files being restored and could add code to aid in further attacks for instance.

The scope of this vulnerability is reduced by the fact it requires physical access and that the restored files cannot be placed in system-critical Windows folders.

Remediation steps

Type	Step
	Administrators should ensure systems are fully updated. Regular users must not be able to restore or move quarantined files. Users should only be able to access systems they are explicitly authorised to use. Organisations should avoid the use of shared computers where possible.

Last edited: 17 February 2020 11:27 am