Deactivating endpoint protection software in an unauthorized manner (Revisited)

Posted on Posted in Paper


In general, endpoint protection software is a security control measure to protect IT systems, for example client or server systems, from different threats. Typical features of endpoint protection software are anti-virus and malware detection, application and device control mechanisms, or specific firewall functionalities.


Endpoint protection software often is password protected in order to restrict access to a management console for changing settings or deactivating protection features to authorized users only. This protection reduces the risk of unauthorized or unintended changes in the functioning of the software, and restricting administrative access is generally a good idea – especially when it comes to security (principle of least privilege).

In order to access and use a protected management functionality, a password usually is required (passwordbased authentication). In some situations, this feature can be useful for IT support. But if the password-based authentication is not implemented properly, low-privileged attackers or malware are able to change the protection settings or to deactivate the protection entirely in an unauthorized manner without having to know the correct password rendering the endpoint protection software useless.

In 2012, SySS GmbH already published a case study about an authentication bypass vulnerability affecting the endpoint protection software Trend Micro OfficeScan [1]. But as this type of security vulnerability is still present in modern endpoint protection software, we decided to raise awareness for this less regarded security issue again.

In this paper, it will be shown how the violation of secure design principles can cause authentication bypass vulnerabilities that were found in current endpoint protection software products of different vendors in 2015. All the discussed security vulnerabilities have been reported to the manufacturers of the affected software products according to our responsible disclosure policy [2] and were publicly disclosed in several SySS security advisories [3-19], and in a talk at the IT security conference DeepSec in November 2015.

Quelle: Exploit-db