The company claims that most of its products' components such as the antimalware engine and the Active Threat Control subsystem already run with the privileges of the logged-in user, and that it's using brokering processes to limit the number of components running with system privileges, even in the consumer products.
On the business side, the company developed a solution called Gravity Zone that allows administrators to run the scanning service on a different machine on the network instead of the endpoint and it also recently introduced HVMI (Hypervisor-based Memory Introspection) technology that completely isolates the antimalware solution by deploying it in a Type 1 hypervisor outside of the operating system.
"This kind of isolation separates the antimalware engines from rootkits or exploits running in the user environment," the company said.
Avast did not respond to repeated requests for comment, while Malwarebytes, AVG and ESET declined to comment for this story or failed to send any responses before publication despite being given ample time.
Risk vs reward
The large and easy to exploit attack surface introduced by antivirus products combined with the likelihood of targeted attacks, raises the question of whether it's even worth installing such programs in some enterprise environments.
Some researchers doubt the effectiveness of endpoint antivirus products when faced with sophisticated and carefully engineered malware programs like those used by cyberespionage groups. Their view is that there's little reward compared to the risk, especially for organizations from industries that are commonly targeted by such attackers.
"Antivirus products can only be used, from my viewpoint, as protection tools for rather small companies and home users," Koret said. Antivirus products cannot detect what is unknown, regardless of what they advertise, and evading antivirus detection is trivial and something that most malware developers test before releasing their malicious code, he said.
Ollmann, who has been a long-time critic of endpoint antivirus products, believes that the security protections increasingly built into operating systems will eventually render such programs obsolete.
In fact, even now, some antivirus vendors have to subvert built-in OS security mechanisms in order to get their products to work as they want, which further exposes those systems to compromise, he said.
An example of such subversion came recently, when Israeli data exfiltration prevention company enSilo reported a vulnerability in products from Intel Security, Kaspersky Lab and AVG that had the effect of disabling OS-based anti-exploitation defenses for other applications.
These antivirus products allocated a memory page with read, write and execute permissions to user-mode processes belonging to other applications like Adobe Reader and Web browsers, the enSilo researchers explained in a blog post. This could have helped attackers to defeat Windows exploit mitigations such as address space layout randomization (ASLR) and data execution prevention (DEP) for those third-party applications, making it much easier for attackers to exploit any vulnerabilities found in them.
Sign up for Computerworld eNewsletters.