Most antivirus can be disabled by symbolic links


Yesterday, the RACK911 Labs researchers, I sharen on their blog, a post in which they released part of his research showing that almost all the packages of antivirus for Windows, Linux and macOS were vulnerable to attacks that manipulate race conditions while removing files containing malware.

In your post show that to carry out an attack, you need to download a file that the antivirus recognizes as malicious (for example, a test signature can be used) and after a certain time, after the antivirus detects the malicious file  immediately before calling the function to remove it, the file acts to make certain changes.

What most antivirus programs do not take into account is the small time interval between the initial scan of the file that detects the malicious file and the cleanup operation that is performed immediately afterwards.

A malicious local user or malware author can often perform a race condition via a directory junction (Windows) or symbolic link (Linux and macOS) that takes advantage of privileged file operations to disable antivirus software or interfere with the operating system to process it.

In Windows a directory change is made using a directory join. While on Linux and Macos, a similar trick can be done changing directory to "/ etc" link.

The problem is that almost all antivirus did not check the symbolic links correctly and considering that they were deleting a malicious file, they deleted the file in the directory pointed out by the symbolic link.

On Linux and macOS it shows how in this way a user without privileges you can remove / etc / passwd or any other file from the system and in Windows the DDL library of the antivirus to block its operation (in Windows, the attack is limited only by deleting files that other users do not currently use) applications).

For example, an attacker can create an exploits directory and load the EpSecApiLib.dll file with the virus test signature and then replace the exploits directory with the symbolic link before uninstalling the platform which will remove the EpSecApiLib.dll library from the directory. antivirus.

In addition, many antivirus for Linux and macOS revealed the use of predictable filenames when working with temporary files in the / tmp and / private tmp directory, which could be used to increase the privileges for the root user.

To date, most providers have already eliminated the problems, But it should be noted that the first notifications of the problem were sent to the developers in the fall of 2018.

In our tests on Windows, macOS, and Linux, we were able to easily remove important antivirus-related files that rendered it ineffective, and even remove key operating system files that would cause significant corruption that would require a complete reinstallation of the operating system.

Even though not everyone released the updates, they received a fix for at least 6 months, and RACK911 Labs believes that you now have the right to disclose information about vulnerabilities.

It is noted that RACK911 Labs has been working on identifying vulnerabilities for a long time, but did not anticipate that it would be so difficult to work with colleagues in the antivirus industry due to delayed release of updates and ignoring the need to urgently fix security issues.

Of the products affected by this problem are mentioned to the following:


  • BitDefender GravityZone
  • Comodo Endpoint Security
  • Eset File Server Security
  • F-Secure Linux Security
  • Kaspersy Endpoint Security
  • McAfee Endpoint Security
  • Sophos Anti-Virus for Linux


  • Avast Free Anti-Virus
  • Avira Free Anti-Virus
  • BitDefender GravityZone
  • Comodo Endpoint Security
  • F-Secure Computer Protection
  • FireEye Endpoint Security
  • Intercept X (Sophos)
  • Kaspersky Endpoint Security
  • Malwarebytes for Windows
  • McAfee Endpoint Security
  • Panda Dome
  • Webroot Secure Anywhere


  • AVG
  • BitDefender Total Security
  • Eset Cyber ​​Security
  • Kaspersky Internet Security
  • McAfee Total Protection
  • Microsoft Defender (BETA)
  • Norton Security
  • Sophos Home
  • Webroot Secure Anywhere


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

A comment, leave yours

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   guillermoivan said

    the most striking ... is how ramsomware is currently spreading and that AV developers take 6 months to implement a patch ...