PoC: Avast, AVG and Microsoft Defender tricked by "wiper tool" to delete files

Sicherheit (Pexels, allgemeine Nutzung)[German]cecurity tools such as virus scanners claim to protect systems from threats. But malfunctions or vulnerabilities can unintentionally expose systems to particular risks. A security researcher recently demonstrated in a proof-of-concept (POC) that anti-malware solutions can be tricked into selectively deleting files on a system. The researcher called this approach "aikido" – derived from the Japanese martial art of using an opponent's attack against the opponent himself.


There is always a debate about whether you should use third-party antivirus tools to protect your (Windows) systems. Here in the blog, however, I had pointed out several times that malfunctions and vulnerabilities in such products pose risks and can cause damage. Or Yair, security researcher at SafeBreach wanted to know more and took a look at various endpoint detection and response (EDR) and antivirus (AV) solutions.

As expected, Or Yair discovered various vulnerabilities in these products. He was particularly interested in wipers, i.e. software that deletes files from the target systems. Security solutions such as antivirus software run with the highest system rights, i.e. they have full access to all files on the system. Using these vulnerabilities, he was able to make a wiper running with normal user privileges cause security solutions running with system privileges to delete harmless files on the target systems. This included system files, making the systems unbootable.

The security researcher examined eleven security products from various manufacturers and found vulnerabilities in 50% of the products. Microsoft Defender, Sentinel One EDR, Trend Micro Aprex One, Avast Antivius and AVG Antivirus were vulnerable. All of the above products are commonly used on Windows. With Microsoft Defender and Defender for Endpoint, it was not possible to delete individual files, but complete directories could be removed by the wiper.

The security researcher reported these vulnerabilities to the affected manufacturers between July and August 2022. There was close cooperation with the manufacturers over the following four months to close subsequent vulnerabilities before the PoC was published.

  • Microsoft: CVE-2022-37971
  • TrendMicro: CVE-2022-45797
  • Avast und AVG: CVE-2022-4173

The vendors have released new versions or patches for the vulnerable software to close this vulnerability:


  • Microsoft Malware Protection Engine: 1.1.19700.2
  • TrendMicro Apex One: Hotfix 23573 und Patch_b11136
  • Avast & AVG Antivirus: 22.10

If not already done, users should update to these versions. The security researcher compiled the findings in a proof-of-concept (POC) and presented it at BlackHat Europe. An initial outline was then published on December 7, 2022 in the article SafeBreach Labs Researcher Discovers Multiple Zero-Day Vulnerabilities in Leading Endpoint Detection and Response (EDR) and Antivirus (AV) Solutions. (via)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *