Masquerade Attacks Against Security Software Exclusion Lists

Security software, commonly known as Antivirus, has evolved from simple virus scanners to become multi-functional security suites. To combat ever-growing malware threats, modern security software utilizes both static and dynamic analysis to assess malware threats, inevitably leading to occasional false positive and false negative reports. To mitigate this, existing state-of-the-art security software offers the feature of Exclusion Lists to allow users to exclude specified files and folders from being scanned or monitored. Through rigorous evaluation, however, we found that some of such products stored their Exclusion Lists as unencrypted cleartexts either in known or predictable locations. In this paper we empirically demonstrate how easy it is to exploit the Exclusion Lists by launching masquerade attacks. We argue that the Exclusion Lists should be better implemented such as using application whitelisting, the contents of the lists to be better safeguarded, and only be readable by authorized entities within a strong access control scheme.

Description

Australian Journal of Intelligent Information Processing Systems (AJIIPS) publishes fully open access journals, which means that all articles are available on the internet to all users immediately upon publication. Non-commercial use and distribution in any medium is permitted, provided the author and the journal are properly credited.

Citation

Australian Journal of Intelligent Information Processing Systems, 2019, 16 (4), pp. 1 - 1

URI

https://hdl.handle.net/10179/16288

Collections

Journal Articles

Full item page