AVG AntiVirus for MacOS does not scan files inside disk images (DMG) files in the on-demand scanner. Real-time scanning and compressed archives such as ZIP files were scanned properly.
The vendor did not consider this to be a security issue but an enhancement, and released a fix in engine version 4668. MITRE has assigned CVE-2017-9977 for this issue.
AVG provides various anti-virus products for multiple platforms including MacOS. During our testing, we found that AVG AntiVirus for MacOS did not scan files inside disk images (DMG) files.
To replicate, do the following:
- Download the EICAR test file.
- Open the Disk Utility in MacOS, and create a new image.
- Drag the EICAR file to the mounted disk image, then right click on the image and un-mount.
- Install AVG antivirus, open AVG and drag the disk image to the real time scanner slot. Observe that no virus is detected.
We did not test other disk image types such as ISO but presume there are probably impacted as well.
The vendor response is as follows:
OK, we consider this as a new feature request — to traverse DMG file in on-demand scan. But there is no security impact, because once the DMG is mounted, on-access scanner protects you from opening malware files.
Nevertheless, the issue was fixed in engine version 4668 in October 2016, and was confirmed again in version 17.2, virus database 170626-4.
CVE ID: CVE-2017-9977
Advisory written by Yakov Shafranovich.
2016-05-08: Initial report to the vendor via BugCrowd
2016-05-10: Follow up report to the vendor
2016-05-12: Communication with the vendor
2016-05-13: Issue confirmed by the vendor
2016-10-05: Fix released and confirmed
2017-04-18: Request for public disclosure via BugCrowd
2017-04-19: Vendor is ok with public disclosure, asks for advance copy of the advisory
2017-06-28: Fix re-confirmed and proposed advisory shared with the vendor
2017-07-06: Public disclosure
One thought on “AVG AntiVirus for MacOS Doesn’t Scan Inside Disk Images [CVE-2017-9977]”
[…] – related bug for engine versions prior to 4668 has been fixed earlier (see CVE-2017-9977 and our blog post); other products not […]