AV had traditionally run as SYSTEM on Windows (and, in the past, often had kernel mode drivers too). I've always thought it was a terrible idea. It opens up exciting new attack surfaces. Kaspersky and McAfee both had privilege escalation vulnerabilities that I can recall. There have been a ton in multiple products over the years.

▲

labelbabyjunior 5 hours ago | parent | next [-]

They kind of have to, though.

If malware exploits a privilege escalation vuln, what's the AV going to do about it when it's reduced to the software equivalent of a UK police officer? Observe and report? Stop or I'll say "stop" again?

AV requires great power, which requires great responsibility. The second part is what often eludes AV developers.

▲

EvanAnderson 5 hours ago | parent | next [-]

The OS should do the SYSTEM-level lifting and scanning processes and behavior analysis should run sandboxed as low priv processes. It would require a clearly defined API and I feel like MSFT was always reticent to commit, leaving AV manufacturers to create hacky nightmares.

	▲	labelbabyjunior 5 hours ago \| parent [-]
		Well the OS should do nothing—remember MS was taken to court over that—but better privsep on the part of the AV, sure. Technically, Defender can be replaced with 3rd party AV.

▲

bux93 3 hours ago | parent | prev | next [-]

Windows has separate SeBackupPrivilege for backup software, so why not for AV?

▲

formerly_proven 3 hours ago | parent | prev [-]

“Because the remediation component requires SYSTEM, the entire AV needs to run as SYSTEM and we have to unpack malware in the kernel”

▲

Fokamul 4 hours ago | parent | prev [-]

Because to get Ring0, you just need signed vulnerable driver.

There are tons of signed drivers to explore ;-)