App Review Microsoft Defender's challenge.

[Andy Ful]

Content source

https://youtu.be/A7HkFKebrvY

Edit.
I reposted a new video because in the old one, I forgot to mention that Memory integrity is disabled (incompatible Intel driver in Virtual Machine).

 

[Bot]

Thanks for sharing this video! It's always helpful to see Microsoft Defender in action. Let's discuss the key points and any questions you may have.

 

[Andy Ful]

I created this video as the continuation of the AVs challenge to show that the drivers of popular AVs can be tampered with from Userland (with high privileges), assuming that they are not protected by VBS.
The presented method could be used in the wild because the most important part of it is documented. If so, it was used rarely because I did not see any reference on the web.
It does not use vulnerable drivers and does not abuse PPL.

The presented method is not a full attack, and it is not probable that it can affect home users. However, it can probably be used as a part of targeted attacks in businesses.
Interestingly, Tamper protection was bypassed in the video.

Defender is taken only as an example. The presented method was tested by the author on several well-known Antiviruses, with similar effects.

App Review - The Comodo's challenge.

Can Comodo's Auto-Containment be bypassed?

malwaretips.com

App Review - Comodo's challenge part 2.

This video is a continuation of the previous one. I used the default settings of Internet Security configuration + enabled HIPS + most restrictive Auto-Containment for all Unrecognized files. I also confirmed that the Comodo Firewall cannot be fixed and the stopped Comodo's service does not work...

malwaretips.com

App Review - Eset's challenge.

malwaretips.com

 

[Trident]

Looks like they are all vulnerable to this.

 

[blackice]

@Andy Ful may just force some big improvements across the industry.

 

[Dave Russo]

Kind of upsetting, administration privileges need to be hacked to run this kind of attack?, or human error, allowing by being deceived?

 

[Trident]

Kind of upsetting, administration privileges need to be hacked to run this kind of attack?, or human error, allowing by being deceived?

There are various UAC bypasses but the more you prolong the attack chain, the more likely it is to be intercepted by behavioural monitors. It will need to be tested as part of a real attack, for example, the script may write another encoded script (injector or something) to the registry and may try to bypass UAC.

 

[ErzCrz]

Interesting it affects so many AVs. I'd love to see what the affect is with DefenderUI for it;'s Defender Guard feature and whether CyberLock detects this attack.

Nice test as always.

 

[Andy Ful]

@Andy Ful may just force some big improvements across the industry.

I would like, but it is hardly possible.

 

[WhiteMouse]

However, it can probably be used as a part of targeted attacks in businesses.

No, this attack is not stealthy. It leaves a huge red X mark and someone will investigate why the antivirus service is off.

 

[LennyFox]

Edit.
I reposted a new video because in the old one, I forgot to mention that Memory integrity is disabled (incompatible Intel driver in Virtual Machine).

Does not that automatically imply that Credential Guard and Virtualisation Based Security is disabled also (besides running SUA, probably the only defenses against your PoC)?

 

[Andy Ful]

No, this attack is not stealthy. It leaves a huge red X mark and someone will investigate why the antivirus service is off.

You are right. If this attack is treated as a full attack, it is kinda stupid.
But, in the wild in targeted attacks, it can be probably done via lateral movement. The AV will be dismantled only for a while to apply some changes deeply hidden in the system, and delete tracks.
Another advantage is that the AV can be invalidated only partially, by disabling one particular driver.

 

[Andy Ful]

Does not that automatically imply that Credential Guard and Virtualisation Based Security is disabled also (besides running SUA, probably the only defenses against your PoC)?

Credential Guard is not important in this method. The attack cannot work for drivers protected by VBS. I am not sure which Defender's drivers can be protected in that way.
I did not test how Memory Integrity can affect the attack. Anyway, Memory Integrity is often disabled in organizations due to some incompatible drivers.

 

[rashmi]

Interesting it affects so many AVs.

Why are you surprised? Almost all AVs in the consumer space will fail. You were unnecessarily worried about Comodo. @Andy Ful explained the tests, how or why it’s not an issue for home users, and that Comodo is a strong suite. Appreciate the tests, disregard the pseudo-experts, and save yourself from the mind-numbing essays on Comodo. I think Kaspersky might survive the attack.

 

[harlan4096]

K. also failed hehe...

 

[rashmi]

K. also failed hehe...

Where is the test video? It's not there in the review segment.

 

[Shadowra]

Appreciate the tests, disregard the pseudo-experts, and save yourself from the mind-numbing essays on Comodo. I think Kaspersky might survive the attack.

We wonder who you're aiming for

 

[rashmi]

We wonder who you're aiming for

I don't bother replying to them, ignoring their posts.

 

[LennyFox]

Credential Guard is not important in this method. The attack cannot work for drivers protected by VBS. I am not sure which Defender's drivers can be protected in that way.
I did not test how Memory Integrity can affect the attack. Anyway, Memory Integrity is often disabled in organizations due to some incompatible drivers.

Thanks, although most home users have memory integrity enabled (is on by default, see link) also would protected processes prevent shutting doen the service?

BTW glad I am using your WHHL , WDAC-ISG uses higher integrity level than admin rights (discussed on reddit)

Spoiler: protected processes

 

[Trident]

K. also failed hehe...

They are all gonna fail because this seems to be based on how antivirus with all of its components is integrated and managed within Windows…