App Review Avast's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I have created this video as a continuation of the AVs challenge.
It can demonstrate that antimalware kernel drivers and protected services of popular antivirus software can be tampered with (from Userland with high privileges), assuming VBS does not protect them.

The attack method could be already used in the wild because most of it is documented. However, I have not seen any reference to it on the web. It does not use vulnerable drivers and does not abuse PPL.

It is not a full attack, but it can be a part of a targeted attack in organizations.
Please note: Avast is only an example. I tested the presented method on several well-known antivirus software with similar effects.

App Review - The Comodo's challenge.

App Review - Comodo's challenge part 2.

App Review - Eset's challenge.

App Review - Microsoft Defender's challenge.​

App Review - Bitdefender's challenge.

App Review - The Zone Alarm challenge.

App Review - The Emsisoft Enterprise Security challenge.

 
Last edited:
  • Like
  • +Reputation
Reactions: roger_m, cryogent, oldschool and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Shadowra said:
I'd love to see how it stacks up against DeepInstinct... I can give you the test sometime if you can give me the script :) (and why not include it in my test)
Click to expand...

For now, the attack details are available only for AV vendors.
I could test it myself, but it would not be nice to ask for the installer in purpose to show that DeepInstinct will fail to protect itself. :unsure:
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: roger_m, simmerskool, vtqhtr413 and 4 others
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Andy Ful said:
For now, the attack details are available only for AV vendors.
I could test it myself, but it would not be nice to ask for the installer in purpose to show that DeepInstinct will fail to protect itself. :unsure:
Click to expand...
Off topic, on the ZoneAlarm challenge, Sophos engine detected one variant. It seems that Sophos, at least partially, is aware of some of the methodic. It may be worth submitting the files on Intelix portal (intelix.sophos.com) or maybe send them an email.
 
  • Like
  • +Reputation
Reactions: roger_m, simmerskool, vtqhtr413 and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Trident said:
Off topic, on the ZoneAlarm challenge, Sophos engine detected one variant. It seems that Sophos, at least partially, is aware of some of the methodic. It may be worth submitting the files on Intelix portal (intelix.sophos.com) or maybe send them an email.
Click to expand...

No, it is not aware. I confirmed that it very aggressively detects shortcuts that use CmdLines with cmd[.]exe . The core of the attack is in the .dat file, which is undetected.
 
Last edited:
  • Like
  • +Reputation
Reactions: roger_m, simmerskool, vtqhtr413 and 4 others
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Andy Ful said:
No, it is not aware. I confirmed that It very aggressively detects shortcuts that use CmdLines with cmd[.]exe . The core of the attack is in the .dat file, which is undetected.
Click to expand...
Oh that means that Harmony Endpoint, under my policy, will not let the procedure through. CMD, amongst others, can’t be executed. Smart thing for Sophos to do. Sophos relies heavily on emulation and it will not be able to emulate the *.dat file. Specially as it is a read-only in the attack and other components use it.
 
  • Like
  • +Reputation
Reactions: roger_m, simmerskool, vtqhtr413 and 3 others
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Digmor Crusher said:
I find it odd that all these AV's are vulnerable to this type of attack and that no one has mentioned it before. You would think the AV companies know this and why haven't they fixed it?
Click to expand...
There are many scenarios predicted and blocked, there are many that are reactively patched and many to be discovered yet.

When it comes to attacks with scripting involved, it’s a bit iffy as it may look like admin/user wants to execute the actions.
There is a very thin line between blocking attacks, and blocking basic OS functionality and filling up your forums with annoyed users.

The Norton WS.Reputation.1 (initially Reser.Reputation.1) is a very good example how a great idea, in this case blocking unknown executables, can piss a lot of users off and may have to be “dulled” later on — at the expense of security.

In cybersecurity there is always something to be learned.
 
  • Like
  • +Reputation
Reactions: roger_m, simmerskool, vtqhtr413 and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Digmor Crusher said:
I find it odd that all these AV's are vulnerable to this type of attack and that no one has mentioned it before. You would think the AV companies know this and why haven't they fixed it?
Click to expand...

Here is what they think. There are so many uncovered attack methods. We cannot discover and patch most of them. If we patch some of them, the attackers easily find unpatched ones. So, it is more practical to quickly patch the methods used in the wild and not bother about the rest.
For example, some dangerous methods were found in the Bug Bounty Program and waited nearly two years to be patched.
 
  • Like
  • +Reputation
  • Sad
Reactions: robboman, roger_m, simmerskool and 5 others
F

ForgottenSeer 109138

Andy Ful said:
Here is what they think. There are so many uncovered attack methods. We cannot discover and patch most of them. If we patch some of them, the attackers easily find unpatched ones. So, it is more practical to quickly patch the methods used in the wild and not bother about the rest.
For example, some dangerous methods were found in the Bug Bounty Program and waited nearly two years to be patched.
Click to expand...
There is that and the fact that every time they patch something of that effect they possibly introduce more bugs/vulnerabilities in the process, just as adding tons of 3rd party applications widens the attack surface. It is a never ending game of "catch 22" between patching old issues, to adding improvements/optimizations to newer features which all add to the long list of whack a mole.
 
  • Like
Reactions: roger_m, simmerskool, vtqhtr413 and 3 others
nickstar1

nickstar1

Level 10
Verified
Well-known
Dec 10, 2022
454
Avast's browser extension has not been updated since November 15, 2022 that is very concerning to me and AVG even longer... If they no longer want to support updates for these they should just pull them off the stores. I dont think avast will really care about this considering other factors leaving the product potentially exploitable... Extensions that are no longer maintained or updated pose a significant security risk.

I brought this to attention multiple times and they don't seem to care. I have switched to the new mcafee.
 
Last edited:
  • Like
Reactions: roger_m and Trident
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
nickstar1 said:
Avast's browser extension has not been updated since November 15, 2022 that is very concerning to me and AVG even longer... If they no longer want to support updates for these they should just pull them off the stores. I dont think avast will really care about this considering other factors leaving the product potentially exploitable... Extensions that are no longer maintained or updated pose a significant security risk.

I brought this to attention multiple times and they don't seem to care. I have switched to the new mcafee.
Click to expand...
Yeah that is all true but not really related to Andy’s challenge. And the new cloud-based McAfee, like all AVs, will be susceptible to this disabling method.
 
  • Like
  • +Reputation
Reactions: Idanox, vtqhtr413, roger_m and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I managed to weaponize the "Avast's challenge" with UAC bypass.
community.avast.com

Avast's challenge

In the “Avast’s challenge” video I mentioned that the attack can be dangerous via lateral movement. But, it seems that Avast has a problem with UAC bypass. This can be exploited to dismantle Avast also with standard rights, via simple malware downloaded from the Internet: In the...
community.avast.com community.avast.com

Avast should improve the detection of UAC bypasses.
In this area, Microsoft Defender is better. It can terminate the process executed by UAC bypass, via post-launch behavior blocking. Unfortunately, the AV challenge method is too quick, and Microsoft Defender cannot prevent the attack, too. :confused:
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, TairikuOkami, nickstar1 and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
From my experience with AV vendors and POCs, the new method is not detected/blocked until it becomes prevalent in the wild. So, even if such rare attacks appeared in the wild, the AV vendors added the malware signature without behavioral detection/block of the method.
Currently, the prevalent and well-known method is BYOVD (Bring Your Own Vulnerable Driver). For that method, Avast implemented the vulnerable driver BlockList.

My concern (so far) is not the "AV challenge", but the undetected UAC bypass commonly used in the wild. But, I cannot blame Avast, because even with this possible issue it can compete with top AVs when protecting home users.
 
  • Hundred Points
  • +Reputation
  • Like
Reactions: simmerskool, oldschool and Vitali Ortzi

Similar threads

tofargone
    • Like
    • Applause
App Review Windows Defender vs Top 100 Infostealers
Replies
38
Views
925
Video Reviews - Security and Privacy
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
App Review BYOVD attack - CIS case
Replies
14
Views
639
Video Reviews - Security and Privacy
simmerskool
simmerskool
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,676
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top