- Sep 3, 2017
- 825
- Content source
- https://youtu.be/dQogaxinTXk
Windows Defender Process Reimaging Filepath Bypass Demo (by McAfee)
- Thread starter Mahesh Sudula
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Aug 30, 2012
- 6,598
Wow! This worries me if someone somehow access my system, disable my protection, reimage process for file that happens to sit on my disk by miracle and execute malicious action...if I was retarded.
- Jul 15, 2016
- 321
- May 26, 2014
- 1,339
Well said!
This isnt a bypass, it is a stupid marketing clickbait.
I guess Mcafee thinks everyone is stupid as this video is.
- Feb 8, 2016
- 537
Sounds as much as a marketing campaign to sell their flop anti-virus.
Wow I'm shaking, I guess I'll have to stop using WD and switch to McAfee!
NOT!
It's quite sad that they have to put out a video like this. It really goes to show how much WD has improved and how much WD is eatting away at 3rd party vendors marketshare People are realizing that you really don't need to use 3rd parties anymore.
NOT!
It's quite sad that they have to put out a video like this. It really goes to show how much WD has improved and how much WD is eatting away at 3rd party vendors marketshare People are realizing that you really don't need to use 3rd parties anymore.
- Dec 23, 2014
- 8,513
The video is one year old (why it was published yesterday?). This attack is probably impossible on Windows 1903 because of WD Tamper Protection. But, one year before it could be dangerous for enterprises because servers usually work without shutting-down for many days. So, the attacker could use this technique to hide the malware for a long time.
How Pro's use a Computer:
1. Disable real-time protection to simulate zero-day malware.
2. Add File to exclusion to prevent detection
1. Disable real-time protection to simulate zero-day malware.
2. Add File to exclusion to prevent detection
My guess, the marketing department stumbled across it and said, oh let's publish this so we can try to convince people not to use WD, but sir it's a year old, who cares no one will notice, they will think we just made it.
To me this is just as bad as when Cylance was caught disabling features from their competitors to show how their solution protects better.
- Aug 17, 2014
- 11,112
In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass | McAfee Blog
Process Reimaging Overview The Windows Operating System has inconsistencies in how it determines process image FILE_OBJECT locations, which impacts
securingtomorrow.mcafee.com
- Dec 23, 2014
- 8,513
It seems that Process Reimaging is related to some vulnerable Windows APIs which can retrieve file name and file path of already running executable. So any AV which uses those APIs is vulnerable to this attack, too. In June 2019 M$ has released a partial patch, closing file name attack vector in Windows 10. That is why the video was published a year after disclosing the vulnerability.
"McAfee Advanced Threat Research submitted Process Reimaging technique to Microsoft on June 5th, 2018. Microsoft released a partial mitigation to Defender in the June 2019 Cumulative update for the Process Reimaging FILE_OBJECT filename changes attack vector only. This update was only for Windows 10 and does not address the vulnerable APIs in Table 1 at the OS level; therefore, ESSs are still vulnerable to Process Reimaging. Defender also remains vulnerable to the FILE_OBJECT filepath changes attack vector executed in the bypass demo video, and this attack vector affects all Windows OS versions."
Windows ver. 1903 is also vulnerable to this attack, but it is harder to perform because of Tamper Protection. The attacker has to use the 0-day exploit for Process Reimaging and 0-day payload (in place of Mimikatz). The attack with Mimikatz will fail if WD is not temporarily disabled.
"McAfee Advanced Threat Research submitted Process Reimaging technique to Microsoft on June 5th, 2018. Microsoft released a partial mitigation to Defender in the June 2019 Cumulative update for the Process Reimaging FILE_OBJECT filename changes attack vector only. This update was only for Windows 10 and does not address the vulnerable APIs in Table 1 at the OS level; therefore, ESSs are still vulnerable to Process Reimaging. Defender also remains vulnerable to the FILE_OBJECT filepath changes attack vector executed in the bypass demo video, and this attack vector affects all Windows OS versions."
Windows ver. 1903 is also vulnerable to this attack, but it is harder to perform because of Tamper Protection. The attacker has to use the 0-day exploit for Process Reimaging and 0-day payload (in place of Mimikatz). The attack with Mimikatz will fail if WD is not temporarily disabled.
- Jul 3, 2015
- 8,153
If you have malware running on your system with elevated privileges, so it can just go and turn off your AV, then it can do plenty of other things, too, so you are pwned in any case.
- Dec 23, 2014
- 8,513
Ha, ha. That is true, most users will not even recognize that they were infected.
Such attacks can be dangerous in targeted attacks on servers in the enterprises. The attacker can silently get admin rights, use Process Reimaging technique to hide the payload and delete all tracks of the attack. The malware can work silently for months.
Similar threads
