Some antivirus tools are more resilient than others, but it appears that many of them had weaknesses in common. Rack911 Labs has revealed (via ZDNet) that 28 well-known antivirus programs, including Microsoft Defender, McAfee Endpoint Security and Malwarebytes, either had or have bugs that would let attackers delete necessary files and prompt crashes that could be used to install malware. Known as “symlink races,” they use symbolic links and directory junctions to link malicious files to legitimate ones during the time between scanning a file for viruses and when it’s removed.
The approach not only works across security suites, but across platforms. You just need different techniques on Linux PCs and Macs, Rack911 said.