Abusing TotalAV Anti Virus to Delete Arbitrary Files as SYSTEM
Overview
While investigating the behavior of a TotalAV Anti Virus, I discovered a serious vulnerability that allows arbitrary file deletion as NT AUTHORITY\SYSTEM. What’s particularly concerning is that this can be triggered by a regular, non-administrative user by abusing how TotalAV Anti Virus handles cleanup routines in conjunction with Windows NTFS junctions.
Despite attempts to responsibly disclose this issue to the vendor (TotalAV), I received no acknowledgment or response. I am now publishing technical details to raise awareness and hopefully prompt a fix.
The Vulnerability
Impact
-
Privilege escalation via file deletion:
A non-admin user can delete files owned or protected by SYSTEM by abusing a cleanup feature in the antivirus. -
Persistence and LPE vectors:
By targeting specific files or system DLLs, this could lead to privilege escalation, denial of service, or persistence mechanisms (e.g., deleting scheduled task binaries, logs, or configuration files).
Root Cause
TotalAV Anti Virus provides a "cleanup" feature to remove residual files. This is run under SYSTEM context.
However, the product does not verify the target path after resolving junctions or symbolic links. This allows an attacker to:
-
Create a junction (e.g., using
mklink /J
) for the user's temp directory pointing to an arbitrary protected location. -
Trigger the cleanup to recursively delete contents within the attacker-controlled directory.
- The cleanup blindly follows the junction, deleting files in privileged locations as SYSTEM.
Proof of Concept (PoC)
Here’s a high-level outline of how this can be exploited:
-
Create a junction of the user temp directory to a system owned directory like C:\Windows\System32\drivers\etc
mklink /J "C:\Users\<USERNAME>\AppData\Local\Temp" "C:\Windows\System32\drivers\etc" Trigger the antivirus’s cleanup feature targeting
"C:\Users\<USERNAME>\AppData\Local\Temp"
Responsible Disclosure
I made multiple attempts to disclose this issue privately and allow time for remediation, but the vendor failed to acknowledge or respond. If the vendor reaches out after publication, I am happy to collaborate and update this post accordingly.
Mitigation & Recommendations
Until a fix is released, system administrators can:
-
Monitor antivirus logs for unusual cleanup operations.
-
Block non-admin users from creating NTFS junctions (using Group Policy or access control).
-
Use file integrity monitoring tools to detect suspicious deletions.
Final Thoughts
This bug highlights a recurring pattern: security products introducing security issues by mishandling Windows features like NTFS reparse points. Cleanup features, especially those running with elevated privileges, must perform proper path sanitization and reparse point detection.
If you're a vendor reading this — sanitize your cleanup logic.