Vulnerability report

  • April 1, 2019
  • 3 min read

Emsisoft would like to thank independent security researchers that help us to improve our products. If you have found a new vulnerability in our products that can be used to threaten the security of a computer, please immediately let us know via [email protected].

The following vulnerabilities have been disclosed:

2019-01-02: ACL bypass in Emsisoft Protection Platform driver


EPP.sys in Emsisoft Anti-Malware versions prior to version 2018.12 allows a local attacker to bypass its ACLs because Interpreted Device Characteristics lacks FILE_DEVICE_SECURE_OPEN and therefore files and directories “inside” the \\.\EPP device are not properly protected. As a result, a local attacker may be able to use functionality exposed by the driver to enumerate and read process details, they would normally not have access to.

Affected products:

All Emsisoft Anti-Malware versions prior to version 2018.12.


The issue has been fixed in version 2018.12 and later, which was released January 2nd, 2019. Due to our rolling release model, all users received the fix automatically via their online updates and no manual intervention is required.


Emsisoft would like to thank Nafiez for bringing this issue to our attention.

2016-01-08: Code execution and privilege escalation in installers


Installer packages of Emsisoft products have been found to be vulnerable to so-called carpet poisoning attacks. These allow for execution of third party code with elevated rights, in the event that the malicious code is already planted in DLL files using specific file names in the same folder where the installer packages are saved to and executed from.


The root cause of this issue is essentially the way in which Windows loads DLL files. While developers expect that system components are loaded from the Windows folder, Windows looks for an equally named file in the same folder of an executable (EXE) first. This allows an attacker to plant a malicious version of a DLL in the same folder (e.g. via drive-by download) to get their malicious code executed with higher rights when the installer for the legitimate software is executed. Since installers require elevated rights, they pass on these rights to any other code they load, such as code in DLL files, allowing them to gain higher rights than they would get when executed on their own.

Affected products:

The issue affects all Emsisoft installation packages (setups) that were compiled before 2016-01-08, in particular, EmsisoftAntiMalwareSetup.exe, EmsisoftInternetSecuritySetup.exe, and EmsisoftEmergencyKit.exe. You can verify the timestamp of signing in file properties under “Digital Signatures” (right-click on the file, select “Properties”, and click on the “Digital Signatures” tab to view this information).

Emsisoft code was never affected by this issue. The problem is limited to the installers (setup programs) that install our products on your computer, which are based on third-party installer technology.


All installers were re-compiled with a fixed version of the installer technology on 2016-01-08.
Older installers may still be safely executed from any new folder that does not contain any other DLL files.

Security advise:

Since this generic problem affects a high number of installers from various vendors, it is recommended to never execute downloaded programs directly from unsafe folders like “Downloads” or “Temp”. You may want to set the permissions of those folders to deny execution and/or always move downloaded programs into new and empty folders before executing or running them.


Emsisoft would like to thank Stefan Kanthak for bringing this issue to our attention.


Rating: 3.7/5. From 3 votes.
Please wait...

Similar topics