Vendors Respond to Method for Disabling Their Antivirus Products via Safe Mode


Level 57
Content Creator
Oct 9, 2016
Microsoft and several major cybersecurity companies have responded to a researcher’s disclosure of a method for remotely disabling their antivirus products by leveraging the Windows safe mode.

Researcher Roberto Franceschetti last week published an advisory, a blog post, a video and proof-of-concept (PoC) exploits demonstrating a method that could be used by an attacker to disable anti-malware products from Microsoft (Windows Defender), Avast, Bitdefender, F-Secure and Kaspersky.

The researcher showed how an attacker with elevated privileges could run a script that locally or remotely disables an antivirus by rebooting the device in safe mode and renaming its application directory before its associated service is launched. Franceschetti said he managed to conduct successful attacks on Windows 10 and Windows Server 2016 against products from Microsoft, Avast, Bitdefender, F-Secure and Kaspersky even if they had anti-tamper features enabled.

While conducting an attack requires elevated privileges, Franceschetti argued that many Windows home users have local admin permissions. Moreover, in the case of companies, he noted, “If a large company had for example 100 users who were local admins to all the company's workstations (ex. desktop/helpdesk staff) or their server admins, all I had to do was to trick ONE of them to launch a .bat file to disable antivirus protection on ALL of the endpoints in the company.”

“The whole point of implementing tamper protection on antivirus files, folders and Windows servers is to prevent even local admins from disabling AV protection. Have any of you tried to stop your AV services? You can't! That's the whole point of my exploit,” he wrote.

Continue Reading
Last edited by a moderator: