App Review Avast's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
I have created this video as a continuation of the AVs challenge.
It can demonstrate that antimalware kernel drivers and protected services of popular antivirus software can be tampered with (from Userland with high privileges), assuming VBS does not protect them.

The attack method could be already used in the wild because most of it is documented. However, I have not seen any reference to it on the web. It does not use vulnerable drivers and does not abuse PPL.

It is not a full attack, but it can be a part of a targeted attack in organizations.
Please note: Avast is only an example. I tested the presented method on several well-known antivirus software with similar effects.

App Review - The Comodo's challenge.

App Review - Comodo's challenge part 2.

App Review - Eset's challenge.

App Review - Microsoft Defender's challenge.​

App Review - Bitdefender's challenge.

App Review - The Zone Alarm challenge.

App Review - The Emsisoft Enterprise Security challenge.

 
Last edited:
  • Like
  • +Reputation
Reactions: roger_m, cryogent, oldschool and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
Shadowra said:
I'd love to see how it stacks up against DeepInstinct... I can give you the test sometime if you can give me the script :) (and why not include it in my test)
Click to expand...

For now, the attack details are available only for AV vendors.
I could test it myself, but it would not be nice to ask for the installer in purpose to show that DeepInstinct will fail to protect itself. :unsure:
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: roger_m, simmerskool, vtqhtr413 and 4 others
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,739
Andy Ful said:
For now, the attack details are available only for AV vendors.
I could test it myself, but it would not be nice to ask for the installer in purpose to show that DeepInstinct will fail to protect itself. :unsure:
Click to expand...
Off topic, on the ZoneAlarm challenge, Sophos engine detected one variant. It seems that Sophos, at least partially, is aware of some of the methodic. It may be worth submitting the files on Intelix portal (intelix.sophos.com) or maybe send them an email.
 
  • Like
  • +Reputation
Reactions: roger_m, simmerskool, vtqhtr413 and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
Trident said:
Off topic, on the ZoneAlarm challenge, Sophos engine detected one variant. It seems that Sophos, at least partially, is aware of some of the methodic. It may be worth submitting the files on Intelix portal (intelix.sophos.com) or maybe send them an email.
Click to expand...

No, it is not aware. I confirmed that it very aggressively detects shortcuts that use CmdLines with cmd[.]exe . The core of the attack is in the .dat file, which is undetected.
 
Last edited:
  • Like
  • +Reputation
Reactions: roger_m, simmerskool, vtqhtr413 and 4 others
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,739
Andy Ful said:
No, it is not aware. I confirmed that It very aggressively detects shortcuts that use CmdLines with cmd[.]exe . The core of the attack is in the .dat file, which is undetected.
Click to expand...
Oh that means that Harmony Endpoint, under my policy, will not let the procedure through. CMD, amongst others, can’t be executed. Smart thing for Sophos to do. Sophos relies heavily on emulation and it will not be able to emulate the *.dat file. Specially as it is a read-only in the attack and other components use it.
 
  • Like
  • +Reputation
Reactions: roger_m, simmerskool, vtqhtr413 and 3 others
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,739
Digmor Crusher said:
I find it odd that all these AV's are vulnerable to this type of attack and that no one has mentioned it before. You would think the AV companies know this and why haven't they fixed it?
Click to expand...
There are many scenarios predicted and blocked, there are many that are reactively patched and many to be discovered yet.

When it comes to attacks with scripting involved, it’s a bit iffy as it may look like admin/user wants to execute the actions.
There is a very thin line between blocking attacks, and blocking basic OS functionality and filling up your forums with annoyed users.

The Norton WS.Reputation.1 (initially Reser.Reputation.1) is a very good example how a great idea, in this case blocking unknown executables, can piss a lot of users off and may have to be “dulled” later on — at the expense of security.

In cybersecurity there is always something to be learned.
 
  • Like
  • +Reputation
Reactions: roger_m, simmerskool, vtqhtr413 and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
Digmor Crusher said:
I find it odd that all these AV's are vulnerable to this type of attack and that no one has mentioned it before. You would think the AV companies know this and why haven't they fixed it?
Click to expand...

Here is what they think. There are so many uncovered attack methods. We cannot discover and patch most of them. If we patch some of them, the attackers easily find unpatched ones. So, it is more practical to quickly patch the methods used in the wild and not bother about the rest.
For example, some dangerous methods were found in the Bug Bounty Program and waited nearly two years to be patched.
 
  • Like
  • +Reputation
  • Sad
Reactions: robboman, roger_m, simmerskool and 5 others
Practical Response

Practical Response

Level 7
Mar 10, 2024
342
Andy Ful said:
Here is what they think. There are so many uncovered attack methods. We cannot discover and patch most of them. If we patch some of them, the attackers easily find unpatched ones. So, it is more practical to quickly patch the methods used in the wild and not bother about the rest.
For example, some dangerous methods were found in the Bug Bounty Program and waited nearly two years to be patched.
Click to expand...
There is that and the fact that every time they patch something of that effect they possibly introduce more bugs/vulnerabilities in the process, just as adding tons of 3rd party applications widens the attack surface. It is a never ending game of "catch 22" between patching old issues, to adding improvements/optimizations to newer features which all add to the long list of whack a mole.
 
  • Like
Reactions: roger_m, simmerskool, vtqhtr413 and 3 others
nickstar1

nickstar1

Level 6
Verified
Well-known
Dec 10, 2022
264
Avast's browser extension has not been updated since November 15, 2022 that is very concerning to me and AVG even longer... If they no longer want to support updates for these they should just pull them off the stores. I dont think avast will really care about this considering other factors leaving the product potentially exploitable... Extensions that are no longer maintained or updated pose a significant security risk.

I brought this to attention multiple times and they don't seem to care. I have switched to the new mcafee.
 
Last edited:
  • Like
Reactions: roger_m and Trident
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,739
nickstar1 said:
Avast's browser extension has not been updated since November 15, 2022 that is very concerning to me and AVG even longer... If they no longer want to support updates for these they should just pull them off the stores. I dont think avast will really care about this considering other factors leaving the product potentially exploitable... Extensions that are no longer maintained or updated pose a significant security risk.

I brought this to attention multiple times and they don't seem to care. I have switched to the new mcafee.
Click to expand...
Yeah that is all true but not really related to Andy’s challenge. And the new cloud-based McAfee, like all AVs, will be susceptible to this disabling method.
 
  • Like
  • +Reputation
Reactions: Idanox, vtqhtr413, roger_m and 4 others

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Love
App Review Bitdefender's challenge.
Replies
7
Views
1,096
Video Reviews - Security and Privacy
Andy Ful
Andy Ful
Andy Ful
    • Like
    • +Reputation
    • Wow
App Review Eset's challenge.
Replies
11
Views
1,045
Video Reviews - Security and Privacy
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Thanks
App Review Microsoft Defender's challenge.
Replies
48
Views
3,103
Video Reviews - Security and Privacy
Sandbox Breaker
Sandbox Breaker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top