I created this video as the continuation of the AVs challenge to show that the drivers of popular AVs can be tampered with from Userland (with high privileges),
assuming that they are not protected by VBS.
The presented method could be used in the wild because the most important part of it is documented. If so, it was used rarely because I did not see any reference on the web.
It does not use vulnerable drivers and does not abuse PPL.
The presented method is not a full attack, and it is not probable that it can affect home users. However, it can probably be used as a part of targeted attacks in businesses.
Interestingly, Tamper protection was bypassed in the video.
Defender is taken only as an example. The presented method was tested by the author on several well-known Antiviruses, with similar effects.
Can Comodo's Auto-Containment be bypassed?
malwaretips.com
This video is a continuation of the previous one. I used the default settings of Internet Security configuration + enabled HIPS + most restrictive Auto-Containment for all Unrecognized files. I also confirmed that the Comodo Firewall cannot be fixed and the stopped Comodo's service does not work...
malwaretips.com
malwaretips.com