McAfee gaffe a quick AV kill for enterprising staff
Anti-virus engine easily disable.
Intel Security has fixed a flaw that made it possible to shut down its McAfee Enterprise virus engine, thereby allowing the installation of malware and pirated software.
The hotfix addresses an issue that Agazzini Maurizio, senior security advisor at Rome-based consultancy Mediaservice, first warned about 15 months ago. McAfee acknowledged the bypass in December 2014 and released the patch on 25 February 2016.
The flaw requires users or attackers first gain local administrator privileges, a level of access that many organisations lazily afford staff.
"McAfee VirusScan Enterprise has a feature to protect the scan engine from local Windows administrators [and] a management password is needed to disable it," Maurizio says.
"From our understanding this feature is implemented insecurely: the McAfee VirusScan Console checks the password and requests the engine to unlock the safe registry keys.
"No checks are done by the engine itself, so anyone can directly request the engine to stop without knowing the correct management password."
All versions are affected.
Attackers can either use Maurizio's tool or alter registry keys before opening the McAfee console and choosing 'no password'
Removing administrator rights from user accounts goes a long way to helping organisational security postures.
In May Manchester-based security firm Avecto reckoned 97 percent of critical Microsoft vulnerabilities released in 2014 would be mitigated by removing admin rights. ®