App Review Eset's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
This video is an addition to the :
malwaretips.com

App Review - The Comodo's challenge.

Can Comodo's Auto-Containment be bypassed?
malwaretips.com malwaretips.com

I posted it to show that the method is quite general and not related to the particular AV. It shows that kernel drivers can be disabled from UserLand without exploiting vulnerable drivers.
Please note: The video is not an Eset protection test, because the presented method is not a full real-world attack.
It is possible that the method can be used as a part of a real-world attack, especially in Enterprises.
The presented method can be stopped by configuring Eset HIPS to block CMD (cmd[.]exe). But, several LOLBins can be used instead of CMD.
 
Last edited:
  • Like
  • +Reputation
Reactions: rashmi, Xtwillight, Zartarra and 14 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
Shadowra said:
I wonder how you block AV services and if it would work with Kaspersky & Bitdefender :unsure:
Click to expand...

The second part of the attack can block many AV kernel drivers. It cannot block drivers protected by VBS (Virtualization-based Security).
The first part uses a shortcut with CmdLines. The CmdLines can use several LOLBins to initialize the attack. In the video, I used the CMD LOLBin.
The current AVs have some chances to stop the first part of the attack by blocking CmdLines or LOLBins. So, the attack can be successful in some settings and fail in others.
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: Nevi, Xtwillight, ZeroStrawberries and 11 others
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,739
Andy Ful said:
The first part uses a shortcut with CmdLines. The CmdLines can use several LOLBins to initialize the attack. In the video, I used the CMD LOLBin.
The current AVs have some chances to stop the first part of the attack by blocking CmdLines or LOLBins. So, the attack can be successful in some settings and fail in others.
Click to expand...
Are you aiming at the filter drivers? And does it affect only kernel-mode services? What if an application has multiple services in user and kernel mode, will all be affected? Interesting how no attempts for repair are made by Comodo and Eset… They certainly must have some scheduled tasks as well that should be able to perform a check.
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, Xtwillight, simmerskool and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
rashmi said:
Is this attack test fit for products like OSArmor or CyberLock, or do they simply block CMD, so it won't be a fair test evaluating their mechanism like AI or suspicious?
Click to expand...

I do not know well OSA and CyberLock, so I cannot answer the question. Furthermore, those security applications are not standalone-type protections, so they do not require advanced auto-protection.
 
  • Like
Reactions: Nevi, Xtwillight, simmerskool and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
Trident said:
Are you aiming at the filter drivers? And does it affect only kernel-mode services? What if an application has multiple services in user and kernel mode, will all be affected?
Click to expand...

Yes, for all the above questions.

Trident said:
Interesting how no attempts for repair are made by Comodo and Eset.
Click to expand...

My videos do not exclude that the repair can happen later. All AVs are connected to the cloud and can send some telemetry.
 
  • Like
  • +Reputation
Reactions: Xtwillight, simmerskool, B-boy/StyLe/ and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
CyberDevil said:
I wonder if there is any point in reporting this to Eset in some way?
Click to expand...

The problem is that submitting POCs in a standard way is pretty much useless. Some time ago in another MT thread, I presented a method (without details) to disable Microsoft Defender and use any malware to infect the computer. It was a full attack POC and it did not require high privileges. I use Microsoft Defender in daily work and developed a few security applications, so I submitted several POC's to prevent such attacks in the wild. After a few weeks, the attack could still be successful with simple modifications.
After a few months, a similar method was included in the arsenal of Read Teams, and then Microsoft finally improved Tamper Protection.

So, the solution would be discussing the attack method with someone who directly works on the AV code and not only on adding new signatures.
 
  • Like
  • +Reputation
Reactions: Nevi, Xtwillight, roger_m and 7 others

Similar threads

Andy Ful
    • +Reputation
    • Like
App Review Avast's challenge.
Replies
16
Views
1,344
Video Reviews - Security and Privacy
Trident
Trident
Andy Ful
    • +Reputation
    • Like
    • Love
App Review Bitdefender's challenge.
Replies
7
Views
1,096
Video Reviews - Security and Privacy
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Thanks
App Review Microsoft Defender's challenge.
Replies
48
Views
3,103
Video Reviews - Security and Privacy
Sandbox Breaker
Sandbox Breaker

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top