Skip to main content

Security controls bypass or absence - Antivirus

Description

It is possible to modify files that disable antivirus and DLP so that protection settings against various attacks are disabled.

Impact

  • Disable antivirus and DLP policies.
  • Access and modifying system information and configurations.

Recommendation

Implement mechanisms to avoid modifying antivirus and DLP configurations.

Threat

Unauthorized internal attacker.

Expected Remediation Time

⌚ 120 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: P
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: H
  • Availability: H

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:X/RL:X/RC:X
  • Score:
    • Base: 6.1
    • Temporal: 6.1
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Sensitive resources have strict access policies

Resources:
DLPPolicy:
Name: "MyPolicy"
Rule: "Sensitive_Information"
Mode: Audit
AccessControl: Private
DeletionPolicy: false

Non compliant code

A resource storing sensitive information (Like the antivirus configuration) has unsafe restriction policies

Resources:
DLPPolicy:
Name: "MyPolicy"
Rule: "Sensitive_Information"
Mode: Edit
AccessControl: PublicReadWrite
DeletionPolicy: Delete

Requirements