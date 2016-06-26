Avast Business Security 11.1.2241 Bypass a restriction or similar Vulnerability
23 Jan. 2017
Summary
Avast Internet Security v11.x.x, Pro Antivirus v11.x.x, Premier v11.x.x, Free Antivirus v11.x.x, Business Security v11.x.x, Endpoint Protection v8.x.x, Endpoint Protection Plus v8.x.x, Endpoint Protection Suite v8.x.x, Endpoint Protection Suite Plus v8.x.x, File Server Security v8.x.x, and Email Server Security v8.x.x allow attackers to bypass the DeepScreen feature via a DeviceIoControl call.
Vulnerable Systems:
* Avast Business Security 11.1.2241
* Avast Business Security 11.1.2245
* Avast Business Security 11.1.2253
* Avast Business Security 11.1.2260
* Avast Business Security 11.1.2261
* Avast Business Security 11.1.2262
* Avast Email Server Security 8.0.1606
* Avast Email Server Security 8.0.1609
* Avast Endpoint Protection 8.0.1606
* Avast Endpoint Protection 8.0.1609
* Avast Endpoint Protection Plus 8.0.1606
* Avast Endpoint Protection Plus 8.0.1609
* Avast Endpoint Protection Suite 8.0.1606
* Avast Endpoint Protection Suite 8.0.1609
* Avast Endpoint Protection Suite Plus 8.0.1606
* Avast Endpoint Protection Suite Plus 8.0.1609
* Avast File Server Security 8.0.1606
* Avast File Server Security 8.0.1609
* Avast Free Antivirus 11.1.2241
* Avast Free Antivirus 11.1.2245
* Avast Free Antivirus 11.1.2253
* Avast Free Antivirus 11.1.2260
* Avast Free Antivirus 11.1.2261
* Avast Free Antivirus 11.1.2262
* Avast Internet Security 11.1.2241
* Avast Internet Security 11.1.2245
* Avast Internet Security 11.1.2253
* Avast Internet Security 11.1.2260
* Avast Internet Security 11.1.2261
* Avast Internet Security 11.1.2262
* Avast Premier 11.1.2241
* Avast Premier 11.1.2245
* Avast Premier 11.1.2253
* Avast Premier 11.1.2260
* Avast Premier 11.1.2261
* Avast Premier 11.1.2262
* Avast Pro Antivirus 11.1.2241
* Avast Pro Antivirus 11.1.2245
* Avast Pro Antivirus 11.1.2253
* Avast Pro Antivirus 11.1.2260
* Avast Pro Antivirus 11.1.2261
* Avast Pro Antivirus 11.1.2262
An Avast Sandbox escape, is possible due to a design flaw in the Avast DeepScreen feature. It is likely that this flaw will remain in supported Avast products for some time.
Breaking static AV detection signatures is quite trivial. The AV industry has started to understand that they cannot rely on this anymore nor on simple heuristics on known behavioural patterns, for example based on a certain logic of execution paths and function calls.
The next big thing in malware detection, from the AV point of view, is sandboxing an unknown sample and analysing it inside a fully controlled environment while monitoring its behaviour in a more generic way.