An analysis in feature code emulator που χρησιμοποιεί στα products ESET's (code emulator) showed that it was not strong enough and could be easily compromised, allowing an attacker to take full control of a system running the vulnerable security solution.
The code emulator is integrated into the company's antivirus products and allows to run files or scipts before the user does it. This process occurs in a secluded environment and so the actual system can not be affected.
Data collected is provided to the heuristic software analyst, who decides whether their nature is malicious or suspect.
Researcher Tavis Ormandy from Google Project Zero discovered it vulnerability in NOD32 Antivirus, but as it says other products are also affected, in all versions (Windows, OS X and Linux), as well as Endpoint and Business editions.
"Many antivirus products have emulation capabilities. ESET NOD32 uses a microfilter or kext (the name comes from the kernel extension or kernel extension) to monitor Disk I / O. Says Ormandy.
Because Disk I / O features can be caused in a variety of ways, malicious code, messages, files, images, or other kinds of data may pass to the disk. Hence the need for a strong and properly isolated code emulator in antivirus solutions.
Ormandy found the glitch, analyzed it and created a remote root exploit in a few days, indicating that it can obtain full access to the victim's system.
But let's say that Ormandy declared vulnerability to ESET at 18 in June, and the company immediately released an update for the scan engine (just 4 days later).
You can find more technical details on vulnerability, along with exploit on announcement page of the security vacuum.
See Poc
https://www.youtube.com/watch?v=Sk-CuFMXods
