- Content source
- https://youtu.be/A7HkFKebrvY
Edit.
I reposted a new video because in the old one, I forgot to mention that Memory integrity is disabled (incompatible Intel driver in Virtual Machine).
Last edited:
Microsoft Defender's challenge.
- Thread starter Andy Ful
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Edit.
I reposted a new video because in the old one, I forgot to mention that Memory integrity is disabled (incompatible Intel driver in Virtual Machine).
Thanks for sharing this video! It's always helpful to see Microsoft Defender in action. Let's discuss the key points and any questions you may have.
I created this video as the continuation of the AVs challenge to show that the drivers of popular AVs can be tampered with from Userland (with high privileges), assuming that they are not protected by VBS.
The presented method could be used in the wild because the most important part of it is documented. If so, it was used rarely because I did not see any reference on the web.
It does not use vulnerable drivers and does not abuse PPL.
The presented method is not a full attack, and it is not probable that it can affect home users. However, it can probably be used as a part of targeted attacks in businesses.
Interestingly, Tamper protection was bypassed in the video.
Defender is taken only as an example. The presented method was tested by the author on several well-known Antiviruses, with similar effects.
malwaretips.com
malwaretips.com
The presented method could be used in the wild because the most important part of it is documented. If so, it was used rarely because I did not see any reference on the web.
It does not use vulnerable drivers and does not abuse PPL.
The presented method is not a full attack, and it is not probable that it can affect home users. However, it can probably be used as a part of targeted attacks in businesses.
Interestingly, Tamper protection was bypassed in the video.
Defender is taken only as an example. The presented method was tested by the author on several well-known Antiviruses, with similar effects.
App Review - Comodo's challenge part 2.
This video is a continuation of the previous one. I used the default settings of Internet Security configuration + enabled HIPS + most restrictive Auto-Containment for all Unrecognized files. I also confirmed that the Comodo Firewall cannot be fixed and the stopped Comodo's service does not work...
malwaretips.com
App Review - Eset's challenge.
malwaretips.com
Last edited:
Looks like they are all vulnerable to this.
@Andy Ful may just force some big improvements across the industry.
Kind of upsetting, administration privileges need to be hacked to run this kind of attack?, or human error, allowing by being deceived?
There are various UAC bypasses but the more you prolong the attack chain, the more likely it is to be intercepted by behavioural monitors. It will need to be tested as part of a real attack, for example, the script may write another encoded script (injector or something) to the registry and may try to bypass UAC.
Interesting it affects so many AVs. I'd love to see what the affect is with DefenderUI for it;'s Defender Guard feature and whether CyberLock detects this attack.
Nice test as always.
Nice test as always.
No, this attack is not stealthy. It leaves a huge red X mark and someone will investigate why the antivirus service is off.
F
ForgottenSeer 107474
Does not that automatically imply that Credential Guard and Virtualisation Based Security is disabled also (besides running SUA, probably the only defenses against your PoC)?
You are right. If this attack is treated as a full attack, it is kinda stupid.
But, in the wild in targeted attacks, it can be probably done via lateral movement. The AV will be dismantled only for a while to apply some changes deeply hidden in the system, and delete tracks.
Another advantage is that the AV can be invalidated only partially, by disabling one particular driver.
Last edited:
Credential Guard is not important in this method. The attack cannot work for drivers protected by VBS. I am not sure which Defender's drivers can be protected in that way.
I did not test how Memory Integrity can affect the attack. Anyway, Memory Integrity is often disabled in organizations due to some incompatible drivers.
Last edited:
Why are you surprised? Almost all AVs in the consumer space will fail. You were unnecessarily worried about Comodo. @Andy Ful explained the tests, how or why it’s not an issue for home users, and that Comodo is a strong suite. Appreciate the tests, disregard the pseudo-experts, and save yourself from the mind-numbing essays on Comodo. I think Kaspersky might survive the attack.
- Apr 28, 2015
- 9,386
- 1
- 84,789
- 8,389
Where is the test video? It's not there in the review segment.
I don't bother replying to them, ignoring their posts.We wonder who you're aiming for
F
ForgottenSeer 107474
Thanks, although most home users have memory integrity enabled (is on by default, see link) also would protected processes prevent shutting doen the service?
BTW glad I am using your WHHL
, WDAC-ISG uses higher integrity level than admin rights (discussed on reddit)
Last edited by a moderator:
They are all gonna fail because this seems to be based on how antivirus with all of its components is integrated and managed within Windows…
You may also like...
-
Microsoft Defender Antivirus feat AI Defender- Started by Shadowra
- Replies: 13
-
-
Kaspersky Premium vs McAfee Advanced
- Started by Shadowra
- Replies: 87
-
Entreprise Antivirus Comparative : Cylance - CrowdStrike - Cynet - DeepInstinct
- Started by Shadowra
- Replies: 18
-