App Review The Zone Alarm challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful
S

Sephirothnight

New Member
Sep 19, 2018
5
Bonjour,
thank you for all these tests. The positive point, for zonealarm and Kaspersky who are interested and want to improve their products. How could Symantec endpoint installed on a client workstation react (without the management part)? It seems that it checks all of its drivers, perhaps I am wrong about this statement. In any case, thank you for these tests.
 
  • Like
Reactions: Dave Russo and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,158

Sephirothnight and Deformity,​


If I correctly recall Symantec Endpoint does not work on Windows Home (I am not sure).
Panda Dome and 360 Total Security are solutions for home users. I decided to continue testing (if necessary) only on business products if the trial version is available.
 
Last edited:
  • Like
Reactions: Dave Russo, Kongo and Deformity
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,512
Andy Ful said:

Sephirothnight and Deformity,​


If I correctly recall Symantec Endpoint does not work on Windows Home (I am not sure).
Panda Dome and 360 Total Security are solutions for home users. I decided to continue testing (if necessary) only on business products if the trial version is available.
Click to expand...
Now you've piqued my interest. Which business products are on your list at the moment? 👀
 
  • Like
Reactions: Dave Russo, Trident and Andy Ful
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,743
Andy Ful said:
Thanks. It did not when I tried three years ago. Where can I find a working version?
Click to expand...
Without dealing with corporate emails and trials, it is easy to get it from here.
www.comss.ru

Symantec Endpoint Protection

Symantec Endpoint Protection – комплексный антивирус и фаервол с несколькими уровнями безопасности. Антивирусная и превентивная защита, защита от сетевых угроз и эксплойтов нулевого дня, система предотвращения вторжений
www.comss.ru www.comss.ru
 
  • Like
Reactions: roger_m, Dave Russo and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,158
Trident said:
Without dealing with corporate emails and trials, it is easy to get it from here.
www.comss.ru

Symantec Endpoint Protection

Symantec Endpoint Protection – комплексный антивирус и фаервол с несколькими уровнями безопасности. Антивирусная и превентивная защита, защита от сетевых угроз и эксплойтов нулевого дня, система предотвращения вторжений
www.comss.ru www.comss.ru
Click to expand...
It works. (y)
 
  • Like
Reactions: Trident
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,158
@Trident,

Symantec failed when the attack was done via shortcut. The attack successfully tampered with 5 drivers:
SYMEVENT64.SYS
BHDrvx64.sys
Ironx64.sys
ccSetx64.sys
SRTSP64.SYS

I used the most aggressive settings for "Virus and Spyware Protection" and "Proactive threat Protection".
There were no alerts after Windows restart, but the Symantec Endpoint Protection icon disappeared from the System TaskBar. Security Center showed that Symantec Endpoint Protection might need some actions. But when I tried opening it, the error was shown:

1712770985446.png



If the attack was done via EXE loader, Download Insight blocked the execution and showed an alert that the EXE was unproven (low prevalence).
 
  • Like
  • +Reputation
  • Thanks
Reactions: roger_m, Trident, Gandalf_The_Grey and 1 other person
Practical Response

Practical Response

Level 8
Mar 10, 2024
381
Andy Ful said:
@Trident,

Symantec failed when the attack was done via shortcut. The attack successfully tampered with 5 drivers:
SYMEVENT64.SYS
BHDrvx64.sys
Ironx64.sys
ccSetx64.sys
SRTSP64.SYS

I used the most aggressive settings for "Virus and Spyware Protection" and "Proactive threat Protection".
There were no alerts after Windows restart, but the Symantec Endpoint Protection icon disappeared from the System TaskBar. Security Center showed that Symantec Endpoint Protection might need some actions. But when I tried opening it, the error was shown:

View attachment 282721


If the attack was done via EXE loader, Download Insight blocked the execution and showed an alert that the EXE was unproven (low prevalence).
Click to expand...
I guess I'm failing to understand the relevance of this test without route of infection also. How is the infection moving past the network into the machine past the security in order to establish admin rights so as to proceed with this demonstration. Obviously one with admin rights already established in the machine can perform functions that enable it to be destructive and rendering. It's widely known once a hacker gains access you have issues. As admin you can take a whitelisted application aka aggressive cleaning utility and gut windows and your security will just sigh.
 
  • Like
Reactions: roger_m and Trident
Practical Response

Practical Response

Level 8
Mar 10, 2024
381
Trident said:
It’s just a PoC this disabling methodology, it is mentioned clearly that it’s not a real attack but can be used as part of attacks eventually.
Click to expand...
I understand although as stated before if the attacker gains access to the system they can simply uninstall the security product for full unobstructed gain.
 
  • Like
Reactions: Trident
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,743
Practical Response said:
I understand although as stated before if the attacker gains access to the system they can simply uninstall the security product for full unobstructed gain.
Click to expand...
On a business environment, it is expected that the product will be protected by password. In this case, it will be very difficult to uninstall.
 
  • Like
Reactions: Practical Response
Practical Response

Practical Response

Level 8
Mar 10, 2024
381
Trident said:
On a business environment, it is expected that the product will be protected by password. In this case, it will be very difficult to uninstall.
Click to expand...
Thank you for that response as the home users now understand the difference. Home users may or may not have that ability, even so most would not utilize it.

It's important to note these things as the group of home users here freaking that applications are so easily disabled, they need to understand the chances of this ever occuring vs what's realistic.
 
  • Like
Reactions: Trident
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,743
Practical Response said:
Thank you for that response as the home users now understand the difference. Home users may or may not have that ability, even so most would not utilize it.

It's important to note these things as the group of home users here freaking that applications are so easily disabled, they need to understand the chances of this ever occuring vs what's realistic.
Click to expand...
The antivirus uninstall/disabling method will be more suitable for early stages of attacks, so the rest can be hidden. If they’ve gained full access with no detection yet, they probably won’t need to tamper with defences or they will be able to add exclusions.
Depends on how the product is managed.

For cloud-managed products that require 2FA it will be impossible to add exclusions as well. It also will be impossible to uninstall defences quietly without anyone noticing anything.
Whoever is managing the EDR will notice the disconnection as well.
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,158
Practical Response said:
I understand although as stated before if the attacker gains access to the system they can simply uninstall the security product for full unobstructed gain.
Click to expand...

This cannot be done without informing the user about the AV uninstallation. Microsoft and the AV vendors provided special protections to prevent the malware running with high privileges from tampering with some services and drivers. As it can be seen those protections can be bypassed.
In the case of Symantec Endpoint Protection, I invalidated 5 drivers, but the user and AV show only a general error. The user still does not know what happened. Is it a temporary error with services? Is it a conflict with the Windows Update? There is no sign of malicious actions.
 
  • Like
Reactions: roger_m, Trident and Practical Response

Similar threads

Spartan
    • Like
    • Wow
    • +Reputation
AV-Comparatives AV-Comparatives False Alarm Test: MAR 2024
Replies
3
Views
375
Security Statistics and Reports
SumTingWong
SumTingWong
MuzzMelbourne
    • Like
Question How's 'ya fingerprint?
Replies
29
Views
1,431
Privacy apps
MuzzMelbourne
MuzzMelbourne
Spartan
    • Like
AV-Comparatives AV-Comparatives False Alarm Test - September 2023
Replies
0
Views
431
Security Statistics and Reports
Spartan
Spartan

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top