New Tool Protects You From Antivirus Gone Wild

FEBRUARY 26, 2008 German security firm has released a security tool that protects antivirus tools from being abused by malware. N.runs built the product after discovering flaws in the parser engines of antivirus and host-based IDS/IPS scanners that could cause these server-based tools to “turn” on their users.

The new Application Protection System Anti-Virus (aps-AV) system sits in front of the email and AV servers. “Aps-AV has been developed and conceived for the special security requirements of large enterprises and government-related contractors or organizations. [But it’s also for] anybody that needs a high level of computer security and maintenance and protection from zero-day” threats, says Thierry Zoller, security engineer for n.runs.

Zoller and Sergio Alvarez, head of research at n.runs, last year discovered hundreds of cases of two types of parser engine bugs in security scanners -- one that let attackers sneak malware past these security tools, and a code execution bug that can read and send email from a victim’s email server to open a backdoor into the network. The vulnerabilities also left the door open for denial-of-service attacks, and for AV tools to help execute malicious code.

The problem with these little-known parser flaws is that they make a layered, defense-in-depth strategy backfire on an organization, Zoller says. N.runs’s aps-AV is aimed at plugging those holes in the email and AV infrastructure, he says, and uses an organization’s existing AV tools. But aps-AV takes potentially malicious data offline to a secure environment for inspection or analysis. That stops parsing attacks from occurring, according to n.runs.

source : http://www.darkreading.com/document.asp?doc_id=146955