Antivirus(AV) software plays a major role when it comes to the security aspect of a computerized system as it helps to protect the system from malicious codes that can be harmful to the system. But you’d never think to protect your system from the AV software. The truth is AV can be potentially dangerous to any organization’s system so it should be tested thoroughly before being deployed. Therefore, Antivirus software should be a part of threat modeling, which is the process of identifying objectives and vulnerabilities and defining countermeasures to prevent or mitigate effect of threats to the system.
AV software could threaten confidentiality (C), integrity (I) and availability (A) which is the security triad of a system. In each security system, one of these three components will take the precedence over the other. In some organizations, breach of confidentiality is the most damaging impact while for others, violating integrity and availability cause the most impact.
Confidentiality
Many outlets like WSJ have found out how an antivirus software could violate confidentiality of a system. According to their findings, antivirus software could upload files to their cloud scanning devices while searching for files. Once the files are uploaded, the antivirus software vendor could alert the interested third parties about the files and specific targets in the cloud can be directly sent to some third parties like Russian intelligence.
Integrity
Changing the content of the files, which cause the violation of integrity, gives some devastating impacts. These impacts are harder to detect if the changes are small. Few months back, Stuxnet, a malicious computer worm damaged Iranian centrifuges by fundamentally altering the integrity of the data. It hid the changes from operators, and in some cases, indirect modifications to the ERP (Enterprise Resource Planning) system of a manufacturing firm, which is used to gather data for their contract bid, could cause the company to create a sub optimal bid based on false cost information.
Consider an inventory tracking system in a military depot where combatant commanders rely on supplies to enable troop movements. If someone makes a change on inventory system, falsifying data to show more fuel and other provisions would affect the battle field. Antivirus software operates on a kernel level so that it can write any file in the local system, even the files that are opened in ‘exclusive mode’ on windows.
Furthermore, antivirus software can copy any user logged into the system and access any files on network shares. In most of the cases, the AV software has to take responsibility for violations of integrity. According to Occam’s Razor, at first, we consider issues like software and human errors. Most attacks on integrity cannot be blamed on cyber attacks at all. AV can be blamed for integrity issues if there is a very advanced arrangement on the machine. These arrangements address the resources possessed by most organizations and could be easily identified by the antivirus software.
Availability
Most antivirus software operate a network firewall and can terminate processes which will directly affect the availability of information systems. Whenever AV needs a machine to become temporarily unavailable, all it has to do is terminate the lsass.exe process from kernel space. It will shut down the machine without saving open files, which would impact on integrity. If the antivirus software is running on the database server, it could kill server and database client processes while selectively terminating connections to the database server.
Antivirus vendors deploying signatures which provide false positive detections could also affect the availability. This cannot be targeted as specifically as the other options but might be the most feasible option if reasonable deniability is needed. By overwriting portions of the hard drive, the AV vendor can simply render a machine unbootable, greatly affecting the availability of the system files needed for boot.
Abusing antivirus software can have big impacts. As discussed above, antivirus software vendors have immense remote access to systems where their antivirus software is deployed. By installing an antivirus software, you keep a great amount of trust in the vendor to do only the right things. Therefore, when building a threat model, make sure that you consider how you might react to an issue caused by your own security software.
Reference: ‘ Should Antivirus should be a part of your threat model? ’ by RenditionSec
https://www.renditioninfosec.com/2017/10/should-antivirus-software-be-part-of-your-threat-model/