App Review Windows Defender Process Reimaging Filepath Bypass Demo (by McAfee)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
BoraMurdar said:
Wow! This worries me if someone somehow access my system, disable my protection, reimage process for file that happens to sit on my disk by miracle and execute malicious action...if I was retarded.
Click to expand...

Well said!

This isnt a bypass, it is a stupid marketing clickbait.

I guess Mcafee thinks everyone is stupid as this video is.
 
  • Like
  • +Reputation
Reactions: Dave Russo, plat, blackice and 4 others
Wow I'm shaking, I guess I'll have to stop using WD and switch to McAfee!

NOT!

It's quite sad that they have to put out a video like this. It really goes to show how much WD has improved and how much WD is eatting away at 3rd party vendors marketshare People are realizing that you really don't need to use 3rd parties anymore.
 
  • Like
  • +Reputation
Reactions: BoraMurdar, plat, blackice and 3 others
The video is one year old (why it was published yesterday?). This attack is probably impossible on Windows 1903 because of WD Tamper Protection. But, one year before it could be dangerous for enterprises because servers usually work without shutting-down for many days. So, the attacker could use this technique to hide the malware for a long time.
 
  • Like
Reactions: shmu26, roger_m, plat and 6 others
Andy Ful said:
The video is one year old (why it was published yesterday?).
Click to expand...

My guess, the marketing department stumbled across it and said, oh let's publish this so we can try to convince people not to use WD, but sir it's a year old, who cares no one will notice, they will think we just made it.:p

To me this is just as bad as when Cylance was caught disabling features from their competitors to show how their solution protects better.
 
  • Like
Reactions: oldschool, BoraMurdar, Andy Ful and 2 others
It seems that Process Reimaging is related to some vulnerable Windows APIs which can retrieve file name and file path of already running executable. So any AV which uses those APIs is vulnerable to this attack, too. In June 2019 M$ has released a partial patch, closing file name attack vector in Windows 10. That is why the video was published a year after disclosing the vulnerability.

"McAfee Advanced Threat Research submitted Process Reimaging technique to Microsoft on June 5th, 2018. Microsoft released a partial mitigation to Defender in the June 2019 Cumulative update for the Process Reimaging FILE_OBJECT filename changes attack vector only. This update was only for Windows 10 and does not address the vulnerable APIs in Table 1 at the OS level; therefore, ESSs are still vulnerable to Process Reimaging. Defender also remains vulnerable to the FILE_OBJECT filepath changes attack vector executed in the bypass demo video, and this attack vector affects all Windows OS versions."

Windows ver. 1903 is also vulnerable to this attack, but it is harder to perform because of Tamper Protection. The attacker has to use the 0-day exploit for Process Reimaging and 0-day payload (in place of Mimikatz). The attack with Mimikatz will fail if WD is not temporarily disabled.
 
  • Like
Reactions: Azure, shmu26, silversurfer and 2 others
shmu26 said:
If you have malware running on your system with elevated privileges, so it can just go and turn off your AV, then it can do plenty of other things, too, so you are pwned in any case.
Click to expand...
Ha, ha. That is true, most users will not even recognize that they were infected.
Such attacks can be dangerous in targeted attacks on servers in the enterprises. The attacker can silently get admin rights, use Process Reimaging technique to hide the payload and delete all tracks of the attack. The malware can work silently for months.:(
 
  • Like
Reactions: shmu26, roger_m and harlan4096

You may also like...