{"id":75450,"date":"2017-11-13T21:31:19","date_gmt":"2017-11-14T05:31:19","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=75450"},"modified":"2023-05-26T14:41:26","modified_gmt":"2023-05-26T21:41:26","slug":"avgater-vulnerability-does-not-affect-windows-defender-antivirus","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/11\/13\/avgater-vulnerability-does-not-affect-windows-defender-antivirus\/","title":{"rendered":"#AVGater vulnerability does not affect Windows Defender Antivirus, MSE, or SCEP"},"content":{"rendered":"

On November 10, 2017, a vulnerability called #AVGater<\/a> was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.<\/p>\n

Windows Defender Antivirus and other Microsoft antimalware products, including System Center Endpoint Protection (SCEP) and Microsoft Security Essentials (MSE), are not affected by this vulnerability.<\/p>\n

This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.<\/p>\n

This is a relatively old attack vector. By design, Microsoft antimalware products, including Windows Defender Antivirus, have never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.<\/p>\n

Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:<\/p>\n