The same as other antivirus programs, Symantec Endpoint Protection uses a mini-filter filesystem driver to protect its folders from intrusion, preventing even users with admin privileges from altering them. Specifically, the software looks for the file at C:\Windows\SysWOW64\wbem\DSPARSE.dll, but the DLL is actually located in the SysWow64 folder directly. The issue, the researchers say, is that Symantec Endpoint Protection, a signed process running as NT AUTHORITY\SYSTEM - meaning that it has the highest privileges on a machine - is attempting to load a DLL that doesn’t reside at the expected path. Over the past several weeks, SafeBreach has disclosed similar issues in security products from Avast, AVG, Avira, McAfee, Forcepoint, Trend Micro, Bitdefender and Check Point. The software is impacted by a vulnerability that could allow an attacker that has administrative privileges to bypass self-defense mechanisms and load an unsigned DLL file, SafeBreach security researchers explain in a new blog post. Symantec Endpoint Protection is the latest antivirus product found to unsafely load DLLs into a process that runs with SYSTEM privileges.
0 kommentar(er)
