And at the very least straight to system level access if not more.

londons_explore · on July 21, 2024

AV software needs kernel privilidges to have access to everything it needs to inspect, but the actual inspection of that data should be done with no privilidges.

I think most AV companies now have a helper process to do that.

If you successfully exploit the helper process, the worst damage you ought to be able to do is falsely find files to be clean.

bornfreddy · on July 22, 2024

> ...the worst damage you ought to be able to do is...

Ought. But it depends on the way the communication with the main process is done. I wouldn't be surprised if the main process trusts the output from the parser just a tiny bit too much.

MyFedora · on July 21, 2024

Anti-cheats also whitelist legit AV drivers, even though cheaters exploit them to no end.