Intel Security released a new version that patches a security hole in its McAfee Enterprise antivirus.
The vulnerability could allow an attacker to disable the antivirus on a victim’s computer.
The McAfee VirusScan Enterprise antivirus could end up disabled following very simple steps, allowing attackers to install malware on the user’s system, said Italian security researcher Agazzini Maurizio working for Mediaservice, a local IT security advisory firm.
The issue resides in a feature added to the McAfee VirusScan engine to protect it from local Windows admin users that might accidentally alter its normal mode of operation.
By default, the antivirus uses a password that Windows admin users must provide in order to disable the McAfee VirusScan protection engine.
Maurizio discovered this feature was not properly implemented, and allowed attackers to bypass the admin password.
“The McAfee VirusScan Console checks the password and requests the engine to unlock the safe registry keys,” Maurizio said on a blog post. “No checks are done by the engine itself, so anyone can directly request the engine to stop without knowing the correct management password.”
The researcher created a tool that automatically alters the needed registry keys, so the attacker can disable the antivirus without entering the password.
If we take into account how easy it is to automate the entire process via PowerShell commands, the attack opens a large hole in McAfee’s defense.
Fortunately, as the researcher found, the threat of this attack is present only if the attacker manages to gain admin privileges on an infected machine, otherwise the attack cannot be carried out.
Because of this reason, when Intel received the bug report in November 2014, it prioritized other more important issues and published a patch for this problem on February 25, almost 15 months later.
The McAfee VirusScan Enterprise antivirus version SB10151 has been released to address this issue. All McAfee Viruscan Enterprise versions prior to 8.8 without SB10151 installed suffer from the issue.