App Review The Zone Alarm challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful

Sephirothnight

Level 1
Sep 19, 2018
10
Bonjour,
thank you for all these tests. The positive point, for zonealarm and Kaspersky who are interested and want to improve their products. How could Symantec endpoint installed on a client workstation react (without the management part)? It seems that it checks all of its drivers, perhaps I am wrong about this statement. In any case, thank you for these tests.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,559

Sephirothnight and Deformity,​


If I correctly recall Symantec Endpoint does not work on Windows Home (I am not sure).
Panda Dome and 360 Total Security are solutions for home users. I decided to continue testing (if necessary) only on business products if the trial version is available.
 
Last edited:

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,597

Sephirothnight and Deformity,​


If I correctly recall Symantec Endpoint does not work on Windows Home (I am not sure).
Panda Dome and 360 Total Security are solutions for home users. I decided to continue testing (if necessary) only on business products if the trial version is available.
Now you've piqued my interest. Which business products are on your list at the moment? 👀
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Thanks. It did not when I tried three years ago. Where can I find a working version?
Without dealing with corporate emails and trials, it is easy to get it from here.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,559
Without dealing with corporate emails and trials, it is easy to get it from here.
It works. (y)
 
  • Like
Reactions: Trident

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,559
@Trident,

Symantec failed when the attack was done via shortcut. The attack successfully tampered with 5 drivers:
SYMEVENT64.SYS
BHDrvx64.sys
Ironx64.sys
ccSetx64.sys
SRTSP64.SYS

I used the most aggressive settings for "Virus and Spyware Protection" and "Proactive threat Protection".
There were no alerts after Windows restart, but the Symantec Endpoint Protection icon disappeared from the System TaskBar. Security Center showed that Symantec Endpoint Protection might need some actions. But when I tried opening it, the error was shown:

1712770985446.png



If the attack was done via EXE loader, Download Insight blocked the execution and showed an alert that the EXE was unproven (low prevalence).
 
F

ForgottenSeer 109138

@Trident,

Symantec failed when the attack was done via shortcut. The attack successfully tampered with 5 drivers:
SYMEVENT64.SYS
BHDrvx64.sys
Ironx64.sys
ccSetx64.sys
SRTSP64.SYS

I used the most aggressive settings for "Virus and Spyware Protection" and "Proactive threat Protection".
There were no alerts after Windows restart, but the Symantec Endpoint Protection icon disappeared from the System TaskBar. Security Center showed that Symantec Endpoint Protection might need some actions. But when I tried opening it, the error was shown:

View attachment 282721


If the attack was done via EXE loader, Download Insight blocked the execution and showed an alert that the EXE was unproven (low prevalence).
I guess I'm failing to understand the relevance of this test without route of infection also. How is the infection moving past the network into the machine past the security in order to establish admin rights so as to proceed with this demonstration. Obviously one with admin rights already established in the machine can perform functions that enable it to be destructive and rendering. It's widely known once a hacker gains access you have issues. As admin you can take a whitelisted application aka aggressive cleaning utility and gut windows and your security will just sigh.
 
  • Like
Reactions: roger_m and Trident
F

ForgottenSeer 109138

It’s just a PoC this disabling methodology, it is mentioned clearly that it’s not a real attack but can be used as part of attacks eventually.
I understand although as stated before if the attacker gains access to the system they can simply uninstall the security product for full unobstructed gain.
 
  • Like
Reactions: Trident
F

ForgottenSeer 109138

On a business environment, it is expected that the product will be protected by password. In this case, it will be very difficult to uninstall.
Thank you for that response as the home users now understand the difference. Home users may or may not have that ability, even so most would not utilize it.

It's important to note these things as the group of home users here freaking that applications are so easily disabled, they need to understand the chances of this ever occuring vs what's realistic.
 
  • Like
Reactions: Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Thank you for that response as the home users now understand the difference. Home users may or may not have that ability, even so most would not utilize it.

It's important to note these things as the group of home users here freaking that applications are so easily disabled, they need to understand the chances of this ever occuring vs what's realistic.
The antivirus uninstall/disabling method will be more suitable for early stages of attacks, so the rest can be hidden. If they’ve gained full access with no detection yet, they probably won’t need to tamper with defences or they will be able to add exclusions.
Depends on how the product is managed.

For cloud-managed products that require 2FA it will be impossible to add exclusions as well. It also will be impossible to uninstall defences quietly without anyone noticing anything.
Whoever is managing the EDR will notice the disconnection as well.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,559
I understand although as stated before if the attacker gains access to the system they can simply uninstall the security product for full unobstructed gain.

This cannot be done without informing the user about the AV uninstallation. Microsoft and the AV vendors provided special protections to prevent the malware running with high privileges from tampering with some services and drivers. As it can be seen those protections can be bypassed.
In the case of Symantec Endpoint Protection, I invalidated 5 drivers, but the user and AV show only a general error. The user still does not know what happened. Is it a temporary error with services? Is it a conflict with the Windows Update? There is no sign of malicious actions.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top