According to the researchers, this method works because of a fundamental flaw in how antivirus software performs real-time scans of unknown files. Almost all of them run in a privileged state, or the highest level of authority on an operating system.
"What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after," RACK911 explains in a blog post.
"A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc," RACK911 continues.
What the researchers essentially discovered is that they can link a malicious file to a clean file. When an antivirus program scans a file and determines it's malicious, there is a short window to replace the malicious file with the clean one before it gets deleted. Doing so causes the antivirus program to delete the clean file instead of the malicious one.
Security researchers at RACK911 developed proof of concepts to show the trickery in action, on both Windows and macOS. Here is on Windows...
And here it is on macOS...
"Make no mistake about it, exploiting these flaws were pretty trivial and seasoned malware authors will have no problem weaponizing the tactics outlined in this blog post. The hardest part will be figuring out when to perform the directory junction or symlink as timing is everything; One second too early or one second too late and the exploit will not work," RACK911 says.
So, is your antivirus program affected? Probably not, but maybe. How's that for a vague answer? Here's the problem—the security researchers listed dozens of antivirus software that this trick worked on, including Avast, Avira, BitDefender, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Norton, Panda, Sophos, Webroot, and others.
Since going public with its findings, the company says "almost every antivirus vendor" listed in its blog post (linked in the Via field below) has been patched to protect against this type of attack, "with the exception of a few."
RACK911 reckons the unpatched ones will be fixed soon as well, but did not say which specific programs are still affected. Some antivirus vendors have announced related patches, though, including AVG, F-Secure, McAfee, and Symantec.
Bottom line is this—make sure to keep your antivirus software fully updated.