App Review The Emsisoft Enterprise Security challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
I created this video as the continuation of the AVs challenge to show that Antimalware kernel drivers and protected services of popular AVs can be tampered with (from Userland with high privileges), assuming that they are not protected by VBS.
The presented method could be used in the wild because the most important part of it is documented. If so, it was used rarely because I did not see any reference on the web.
It does not use vulnerable drivers and does not abuse PPL.

The presented method is not a full attack, and it is not probable that it can affect home users. However, it can probably be used as a part of targeted attacks in businesses.
Emsisoft is taken only as an example. The presented method was tested by the author on several well-known Antiviruses, with similar effects.

App Review - The Comodo's challenge.

App Review - Comodo's challenge part 2.

App Review - Eset's challenge.

App Review - Microsoft Defender's challenge.​

App Review - Bitdefender's challenge.

App Review - The Zone Alarm challenge.

 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
I slightly changed the attack method using an EXE file instead of a shortcut. Emsisoft uses the Behavior Blocker to monitor/block suspicious actions of unknown executables.
The EXE file prepared by me bypassed the Behavior Blocker.
After invalidating the drivers, Emsisoft correctly recognized that something was wrong and tried to fix the problem. But it failed.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
Very surprised that his Behavior Blocker and EDR didn't react...

I am not. It does not mean in any way that Behavior Blocker and EDR are weak.:)
The method used in my videos closely mimics administrative actions. That is why all tested AVs have serious problems with detection.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
I would like to test the Business/Enterprise versions, but the trial versions often require a business email or credit card. I do not like to expose my credit card and do not use business email.
 

Trident

Level 29
Verified
Top Poster
Well-known
Feb 7, 2023
1,817
Not from the Windows OS viewpoint.
If it is done the way I think it’s done, Microsoft documents this as “troubleshooting”. It may be needed when users are experiencing issues with backup software or opening files. It is not a Windows flaw and alone by itself is not enough to trigger behavioural blocking.

Depending on the AV’s behavioural blocking profiles/ machine learning models, this may be a high risk action when combined with other events. Alone by itself may just be recorded but it probably doesn’t meet the necessary threshold to trigger removal.

Real attackers may attempt to modify portions of the executable or to pack it, which by itself can trigger various detections.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
Real attackers may attempt to modify portions of the executable or to pack it, which by itself can trigger various detections.

In the era of malware as a service, the real attacker will find a way to do it without triggering detections.
Even I could do it, and I am not a criminal genius.:unsure:
For example, one needs only a simple loader (with UAC bypass) to weaponize the attack. Such loaders are common nowadays.
Thank god, that the logic of the attack is not suited to the home environment.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
Hi Andy,

did the UAC bypass already happen before you clicked "Yes" on the UAC alert? Iow, if you had clicked No instead or cancelled, the bypass already occurred?

When the default "No" is chosen, the attack will fail.
In the real attack, a more probable scenario would be a silent UAC bypass (no user interaction).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
But just like a skilled detective can think like a criminal for solving a crime, you can think like one in creating your bypasses
:D

It is good when the developer of security-oriented applications tries to think sometimes like a malware detective. :)
 
Last edited:

Kevin at Emsisoft

From Emsisoft
Verified
Developer
Mar 25, 2024
5
@Andy Ful

This is Kevin from Emsisoft, we received a report about the issue you reported here on the Mawlaretips forums. Please send us all the files you used to bypass our software to support@emsisoft.com. Please include my name in the subject, to ensure that our support team can route the ticket to me. I will forward the files and the link to your video to our development team.

In the future, we would appreciate if you sent such issues directly to us. This ensures that we get the information promptly and can act on it quickly.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top