Malware Can Use This Trick to Bypass Ransomware Defense in Antivirus Solutions


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Researchers have disclosed significant security weaknesses in popular software applications that could be abused to deactivate their protections and take control of allow-listed applications to perform nefarious operations on behalf of the malware to defeat anti-ransomware defenses.

The twin attacks, detailed by academics from the University of Luxembourg and the University of London, are aimed at circumventing the protected folder feature offered by antivirus programs to encrypt files (aka "Cut-and-Mouse") and disabling their real-time protection by simulating mouse "click" events (aka "Ghost Control").

"Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals," said Prof. Gabriele Lenzini, chief scientist at the Interdisciplinary Center for Security, Reliability, and Trust at the University of Luxembourg. "But they are competing with criminals which now have more and more resources, power, and dedication."

Put differently, shortcomings in malware mitigation software could not just permit unauthorized code to turn off their protection features, design flaws in Protected Folders solution provided by antivirus vendors could be abused by, say, ransomware to change the contents of files using an that's provisioned write access to the folder and encrypt user data, or a wipeware to irrevocably destroy personal files of victims.

ForgottenSeer 85179

Security researcher I known also say (since long time ago) that's possible on rooted Android as many people think their system is secure if root isn't allowed for specific app(s).
  • Like
Reactions: Nevi and Venustus


Level 1
May 29, 2020
One way to avoid malware stopping realtime protection by simulating usee clicks is to have password protection set for the antivirus software. No simulated clicks can get you into the settings in that case.
  • Like
Reactions: Nevi and Venustus


Level 16
Top poster
Oct 13, 2019
Doesn't an AV's Self-Defense feature mitigate the ability of malware and/or ransomware to adjust AV settings?
Yeah most of them prevent you from directly killing their processes or writing to their registry settings, but not all of them detect more subtle techniques, like injecting mouseclicks or a self VNC session, or even something as simple as asking for them to be uninstalled via Add/Remove Programs.

Andy Ful

From Hard_Configurator Tools
Honorary Member
Top poster
Dec 23, 2014
The AV is the strongest part of the protection, and more profitable is attacking the weakest parts. It is worth recalling that the practical danger of this technique is not related to disabling the AV protection, but is related to bypassing the anti-ransomware protection by abusing (in any possible way) 3rd party trusted applications (document editors, photo editors, etc.). These (trusted by the AV or by the user) applications must have write access to the protected files in any anti-ransomware protection.