It has recently come to light that nearly all Symantec antivirus products are vulnerable to remote code execution that could give attackers root access to computers. The reason why this bug is particularly nasty is because it affects Symantec's antivirus engine which is embedded into the Windows kernel, giving it the ability to cripple computer systems. Symantec isn't the only antivirus vendor that has experienced serious security flaws but it does beg the question: how should you protect yourself when you can't rely on commercial antivirus products? Read on to find out more.
With Symantec's antivirus engine residing in Ring0, that is the highest privilege ring for Windows operating systems, what the bug in question can do is allow attackers to trigger a buffer overflow. Google security researcher Tavis Ormandy, who found the bug, demonstrated how easily the vulnerability can be exploited by sending Symantec an email with a file that malformed file that crashed the company's email server. But savvy attackers can also gain access to a Windows computer through the flaw as it allows data to be written direction into kernel memory.
According to Ormandy:
"Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability — this is about as bad as it can possibly get."
Ormandy has been on a warpath to expose serious security bugs on Windows-based antivirus products and has previously found flaws in TrendMicro, Kaspersky, MalwareBytes and AVG offerings, just to name a few. This new bug discovery has caused quite a bit of furore because Symantec's antivirus engine puts itself in the kernel. But guess what? Most antivirus products have their scan engine running alongside the system kernel.
This is how Kaspersky explains it:
This is because the antivirus products need to intercept system events, deep within the computer. The intercepted data is then passed to the antivirus engine for analysis — so the antivirus scanner can scan intercepted files, network packets and other critical data.
This is also why you usually can't install multiple antivirus programs on one computer because they'll compete to install their scan engine in the same part of the system kernel.
So if you've lost faith in commercial antivirus software, what are the alternatives?
For one, you can always fall back on Windows Defender, which is Microsoft's free real-time antivirus program. It's included and enabled by default in Windows 10 and is also available for Windows 7, 8 and 8.1. While it's a bit thin on features and not as good as some of the other antivirus products out there, it does catch more than 99 per cent of "widespread and prevalent malware" on Windows 10 PCs, according to tests run by AV-Test Institute. It's discrete as well, running quietly in the background — only showing notifications when necessary.
Windows Defender is also tightly integrated into the Windows security and update model, meaning the antivirus can take advantage of platform protections offered by Microsoft.
But here's the thing: you shouldn't solely rely on an antivirus product to protect you in the first place. Being smart about how you what you do on the internet can go a long way. Be careful of what websites you visit and be vigilant of dodgy emails.
If you want to take that extra step, you can always run an anti-exploit solution such as Microsoft's Enhanced Mitigation Experience Toolkit (EMET). It's provides an extra layer of defence against malware attacks by preventing vulnerabilities in software from being successfully exploited. EMET can be trying to set up for the average user, as it is mainly targeted at system administrators, but at least it's free.
What are your thoughts on the antivirus products that are currently out on the market? Let us know in the comments.