App Review The Emsisoft Enterprise Security challenge.

[Andy Ful]

Content source

https://youtu.be/nqXURPzo5KE

 

[Andy Ful]

I created this video as the continuation of the AVs challenge to show that Antimalware kernel drivers and protected services of popular AVs can be tampered with (from Userland with high privileges), assuming that they are not protected by VBS.
The presented method could be used in the wild because the most important part of it is documented. If so, it was used rarely because I did not see any reference on the web.
It does not use vulnerable drivers and does not abuse PPL.

The presented method is not a full attack, and it is not probable that it can affect home users. However, it can probably be used as a part of targeted attacks in businesses.
Emsisoft is taken only as an example. The presented method was tested by the author on several well-known Antiviruses, with similar effects.

App Review - The Comodo's challenge.​

App Review - Comodo's challenge part 2.​

App Review - Eset's challenge.​

App Review - Microsoft Defender's challenge.​

App Review - Bitdefender's challenge.​

App Review - The Zone Alarm challenge.​

 

[Andy Ful]

I slightly changed the attack method using an EXE file instead of a shortcut. Emsisoft uses the Behavior Blocker to monitor/block suspicious actions of unknown executables.
The EXE file prepared by me bypassed the Behavior Blocker.
After invalidating the drivers, Emsisoft correctly recognized that something was wrong and tried to fix the problem. But it failed.

 

[Shadowra]

Very surprised that his Behavior Blocker and EDR didn't react...

 

[Andy Ful]

Very surprised that his Behavior Blocker and EDR didn't react...

I am not. It does not mean in any way that Behavior Blocker and EDR are weak.
The method used in my videos closely mimics administrative actions. That is why all tested AVs have serious problems with detection.

 

[Sandbox Breaker - DFIR]

At this point call the EDR challenge

 

[Digmor Crusher]

Another very interesting test from Mr. Ful, Emsisoft rarely gets tested that I can find.

Now the question is, are there any AV's out there that are immune to this type of attack?

 

[Sandbox Breaker - DFIR]

The question should be is this an OS architecture flaw?

 

[rashmi]

Now the question is, are there any AV's out there that are immune to this type of attack?

It's a shame that modern AVs don't come with a "Hacker Repellent" feature.

 

[BSONE]

Looking forward to the Norton and F-Secure tests.

 

[Andy Ful]

Another very interesting test from Mr. Ful, Emsisoft rarely gets tested that I can find.

Now the question is, are there any AV's out there that are immune to this type of attack?

I do not know yet.

 

[Andy Ful]

The question should be is this an OS architecture flaw?

Not from the Windows OS viewpoint.

 

[Andy Ful]

I would like to test the Business/Enterprise versions, but the trial versions often require a business email or credit card. I do not like to expose my credit card and do not use business email.

 

[Trident]

Not from the Windows OS viewpoint.

If it is done the way I think it’s done, Microsoft documents this as “troubleshooting”. It may be needed when users are experiencing issues with backup software or opening files. It is not a Windows flaw and alone by itself is not enough to trigger behavioural blocking.

Depending on the AV’s behavioural blocking profiles/ machine learning models, this may be a high risk action when combined with other events. Alone by itself may just be recorded but it probably doesn’t meet the necessary threshold to trigger removal.

Real attackers may attempt to modify portions of the executable or to pack it, which by itself can trigger various detections.

 

[Andy Ful]

Real attackers may attempt to modify portions of the executable or to pack it, which by itself can trigger various detections.

In the era of malware as a service, the real attacker will find a way to do it without triggering detections.
Even I could do it, and I am not a criminal genius.
For example, one needs only a simple loader (with UAC bypass) to weaponize the attack. Such loaders are common nowadays.
Thank god, that the logic of the attack is not suited to the home environment.

 

[wat0114]

Hi Andy,

did the UAC bypass already happen before you clicked "Yes" on the UAC alert? Iow, if you had clicked No instead or cancelled, the bypass already occurred?

 

[Andy Ful]

Hi Andy,

did the UAC bypass already happen before you clicked "Yes" on the UAC alert? Iow, if you had clicked No instead or cancelled, the bypass already occurred?

When the default "No" is chosen, the attack will fail.
In the real attack, a more probable scenario would be a silent UAC bypass (no user interaction).

 

[wat0114]

for solving a crime
Even I could do it, and I am not a criminal genius.

But just like a skilled detective can think like a criminal for solving a crime, you can think like one in creating your bypasses

 

[Andy Ful]

But just like a skilled detective can think like a criminal for solving a crime, you can think like one in creating your bypasses

It is good when the developer of security-oriented applications tries to think sometimes like a malware detective.

 

[Kevin at Emsisoft]

@Andy Ful

This is Kevin from Emsisoft, we received a report about the issue you reported here on the Mawlaretips forums. Please send us all the files you used to bypass our software to support@emsisoft.com. Please include my name in the subject, to ensure that our support team can route the ticket to me. I will forward the files and the link to your video to our development team.

In the future, we would appreciate if you sent such issues directly to us. This ensures that we get the information promptly and can act on it quickly.