Antivirus software can be tricked when it determines the type of file it scans. Called “Magic Byte”, this method represents a threat according to some specialists.
Security researcher Andrey Bayora discovered that some antivirus programs may let malicious files to pass their scanning because of a flaw in the scanning engine. Some industry representatives don’t share the same opinion.
Bayora tested some security software, by adding extra data to a file. When an antivirus (or similar) scanner opens a file to scan it must first determine the type of file. This is important as it increases scan speed – certain irrelevant files can be skipped, and only appropriate signatures then need to be tested. It also greatly reduces the chance of false positives. That’s what Bayora wrote on his study. If the header of a file is modified there is a good chance that the antivirus program to be tricked.
“This is one of the most significant antivirus vulnerabilities of recent times as it affects the majority of scanner software,” Bayora wrote.
According to the researcher, security software from Trend Micro, McAfee, Computer Associates and Kaspersky Lab are vulnerable to this “bug”. There are also software that are not affected and they come from Symantec, F-Secure and BitDefender.
“It’s not a real security vulnerability, as this is the way antivirus scanners work: If someone creates a new malware, the antivirus industry will create a new signature for it,” said Andreas Marx, an antivirus software expert at the University of Magdeburg in Germany. “This way always leaves a detection and protection gap.”
Kaspersky and Trend Micro see this as a serious problem an already offer patches for their software. “A patch for affected products is currently being tested and should be available within a week,” Kaspersky posted on their website.