App Review The Zone Alarm challenge.

[Sephirothnight]

Bonjour,
thank you for all these tests. The positive point, for zonealarm and Kaspersky who are interested and want to improve their products. How could Symantec endpoint installed on a client workstation react (without the management part)? It seems that it checks all of its drivers, perhaps I am wrong about this statement. In any case, thank you for these tests.

 

[Deformity]

It would be amazing if you could do one for Panda Dome and for 360 Total Security.

 

[Andy Ful]

Sephirothnight and Deformity,​

If I correctly recall Symantec Endpoint does not work on Windows Home (I am not sure).
Panda Dome and 360 Total Security are solutions for home users. I decided to continue testing (if necessary) only on business products if the trial version is available.

 

[Kongo]

Sephirothnight and Deformity,​

If I correctly recall Symantec Endpoint does not work on Windows Home (I am not sure).
Panda Dome and 360 Total Security are solutions for home users. I decided to continue testing (if necessary) only on business products if the trial version is available.

Now you've piqued my interest. Which business products are on your list at the moment?

 

[Andy Ful]

Now you've piqued my interest. Which business products are on your list at the moment?

None in particular, because those that had trials are already tested.

 

[Kongo]

None in particular, because those that had trials are already tested.

I think you can get a 30 day trial for Sophos Intercept X. Might be worth checking out.

 

[Trident]

If I correctly recall Symantec Endpoint does not work on Windows Home (I am not sure).

It does work.

 

[Andy Ful]

It does work.

Thanks. It did not when I tried three years ago. Where can I find a working version?

 

[Trident]

Thanks. It did not when I tried three years ago. Where can I find a working version?

Without dealing with corporate emails and trials, it is easy to get it from here.

Symantec Endpoint Protection

Symantec Endpoint Protection – комплексный антивирус и фаервол с несколькими уровнями безопасности. Антивирусная и превентивная защита, защита от сетевых угроз и эксплойтов нулевого дня, система предотвращения вторжений

www.comss.ru

 

[Andy Ful]

Without dealing with corporate emails and trials, it is easy to get it from here.

Symantec Endpoint Protection

Symantec Endpoint Protection – комплексный антивирус и фаервол с несколькими уровнями безопасности. Антивирусная и превентивная защита, защита от сетевых угроз и эксплойтов нулевого дня, система предотвращения вторжений

www.comss.ru

It works.

 

[Andy Ful]

@Trident,

Symantec failed when the attack was done via shortcut. The attack successfully tampered with 5 drivers:
SYMEVENT64.SYS
BHDrvx64.sys
Ironx64.sys
ccSetx64.sys
SRTSP64.SYS

I used the most aggressive settings for "Virus and Spyware Protection" and "Proactive threat Protection".
There were no alerts after Windows restart, but the Symantec Endpoint Protection icon disappeared from the System TaskBar. Security Center showed that Symantec Endpoint Protection might need some actions. But when I tried opening it, the error was shown:

If the attack was done via EXE loader, Download Insight blocked the execution and showed an alert that the EXE was unproven (low prevalence).

 

[nickstar1]

Does Norton fail to?

 

[ForgottenSeer 109138]

@Trident,

Symantec failed when the attack was done via shortcut. The attack successfully tampered with 5 drivers:
SYMEVENT64.SYS
BHDrvx64.sys
Ironx64.sys
ccSetx64.sys
SRTSP64.SYS

I used the most aggressive settings for "Virus and Spyware Protection" and "Proactive threat Protection".
There were no alerts after Windows restart, but the Symantec Endpoint Protection icon disappeared from the System TaskBar. Security Center showed that Symantec Endpoint Protection might need some actions. But when I tried opening it, the error was shown:

View attachment 282721


If the attack was done via EXE loader, Download Insight blocked the execution and showed an alert that the EXE was unproven (low prevalence).

I guess I'm failing to understand the relevance of this test without route of infection also. How is the infection moving past the network into the machine past the security in order to establish admin rights so as to proceed with this demonstration. Obviously one with admin rights already established in the machine can perform functions that enable it to be destructive and rendering. It's widely known once a hacker gains access you have issues. As admin you can take a whitelisted application aka aggressive cleaning utility and gut windows and your security will just sigh.

 

[Trident]

It’s just a PoC this disabling methodology, it is mentioned clearly that it’s not a real attack but can be used as part of attacks eventually.

 

[ForgottenSeer 109138]

It’s just a PoC this disabling methodology, it is mentioned clearly that it’s not a real attack but can be used as part of attacks eventually.

I understand although as stated before if the attacker gains access to the system they can simply uninstall the security product for full unobstructed gain.

 

[Trident]

I understand although as stated before if the attacker gains access to the system they can simply uninstall the security product for full unobstructed gain.

On a business environment, it is expected that the product will be protected by password. In this case, it will be very difficult to uninstall.

 

[ForgottenSeer 109138]

On a business environment, it is expected that the product will be protected by password. In this case, it will be very difficult to uninstall.

Thank you for that response as the home users now understand the difference. Home users may or may not have that ability, even so most would not utilize it.

It's important to note these things as the group of home users here freaking that applications are so easily disabled, they need to understand the chances of this ever occuring vs what's realistic.

 

[Trident]

Thank you for that response as the home users now understand the difference. Home users may or may not have that ability, even so most would not utilize it.

It's important to note these things as the group of home users here freaking that applications are so easily disabled, they need to understand the chances of this ever occuring vs what's realistic.

The antivirus uninstall/disabling method will be more suitable for early stages of attacks, so the rest can be hidden. If they’ve gained full access with no detection yet, they probably won’t need to tamper with defences or they will be able to add exclusions.
Depends on how the product is managed.

For cloud-managed products that require 2FA it will be impossible to add exclusions as well. It also will be impossible to uninstall defences quietly without anyone noticing anything.
Whoever is managing the EDR will notice the disconnection as well.

 

[Andy Ful]

I understand although as stated before if the attacker gains access to the system they can simply uninstall the security product for full unobstructed gain.

This cannot be done without informing the user about the AV uninstallation. Microsoft and the AV vendors provided special protections to prevent the malware running with high privileges from tampering with some services and drivers. As it can be seen those protections can be bypassed.
In the case of Symantec Endpoint Protection, I invalidated 5 drivers, but the user and AV show only a general error. The user still does not know what happened. Is it a temporary error with services? Is it a conflict with the Windows Update? There is no sign of malicious actions.

 

[Andy Ful]

It's important to note these things as the group of home users here freaking that applications are so easily disabled, they need to understand the chances of this ever occuring vs what's realistic.

You did not read the important post:

App Review - The Zone Alarm challenge.

malwaretips.com