German security firm n.runs AG has released a security tool that protects antivirus tools from being abused by malware. N.runs built the product after discovering flaws in the parser engines of antivirus and host-based IDS/IPS scanners that could cause these server-based tools to “turn” on their users. (See Researchers: Bugs Can Turn Security Tools Against Their Users and Antivirus, IDS/IPS Tools Can Be Used for Attacks.)
The new Application Protection System Anti-Virus (aps-AV) system sits in front of the email and AV servers. “Aps-AV has been developed and conceived for the special security requirements of large enterprises and government-related contractors or organizations. [But it’s also for] anybody that needs a high level of security and protection from zero-day” threats, says Thierry Zoller, security engineer for n.runs.
Zoller and Sergio Alvarez, head of research at n.runs, last year discovered hundreds of cases of two types of parser engine bugs in security scanners -- one that let attackers sneak malware past these security tools, and a code execution bug that can read and send email from a victim’s email server to open a backdoor into the network. The vulnerabilities also left the door open for denial-of-service attacks, and for AV tools to help execute malicious code.
The problem with these little-known parser flaws is that they make a layered, defense-in-depth strategy backfire on an organization, Zoller says. N.runs’s aps-AV is aimed at plugging those holes in the email and AV infrastructure, he says, and uses an organization’s existing AV tools. But aps-AV takes potentially malicious data offline to a secure environment for inspection or analysis. That stops parsing attacks from occurring, according to n.runs.
N.runs or one of its partners provides a custom installation of aps-AV, which is priced on an individual basis, according to the firm.
— Kelly Jackson Higgins, Senior Editor, Dark Reading