Rack911: Easy to manipulate antivirus software into self-destructive tools

Rack911 has proven that most antivirus software fail to take into consideration the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc.

The investigators have published proof of concepts for Kaspersky, McAfee and Norton and many more on their blog post