Computer security experts discovered a way to bypass the Windows Defender antivirus protection during an in-depth audit application audit. This allows hackers to seek out similar potential intrusion paths in order security software.
Microsoft’s Own Windows Defender Antivirus Found Insecure
Security experts from CyberArk Labs uncovered a strange mechanisms which is used by Microsoft’s antivirus software Windows Defender during an in-depth security audit. This led to the discovery of a way to bypass its malware engine, a technique which can be exploited by criminals if the issue remains unpatched. A worrisome detail is the fact that this can be used with other applications as well. The issue lies within the ability of a supposed malicious individual to fool the Windows Defender real-time scanning engine.
The experts uncovered that the fault lies within the way the program scans files over the network. Microsoft Windows uses the SMB protocol which features complex signals that give information about the data. The security engineers discovered that hackers have the ability to give out malware-infected files. This is done by replacing the benign files when the request is issued with malware ones.
The SMB protocol is integrated into the Microsoft Windows operating system and operates in a way which allows the hackers to exploit the file handles by purposely failing the handle command during a malware scan request. Effectively this means that the Windows Defender real-time scan is bypassed.
Such a security bypass can be accomplished using several methods, one of which is by looking for a specific network protocol flag which signals for a Windows Defender antivirus scan request. To initiate the security abuse the criminals need to implement the SMB protocol by creating and a SMB “pseudo-server” that is able to differentiate between the specific Windows Defender scan requests and other options.
Another option would be to use another SMB protocol trick to impersonate the SEC_IDENTIFY flag which effectively blocks handle creations, this prohibits the Windows Defender scan from being produced. The hackers can devise a dropper which can take advantage of the vulnerability in a relatively simple script. It is possible to use this tactic and utilize it with other security software if they are found to feature the same behavior patterns.
When the experts reported the threat to Microsoft they received an answer from the security team stating that changes in the way Windows Defender handles scanning are a feature request and not a legitimate issue. According to the company the way this attack is carried out relies predominantly on the fact that a custom server and an untrusted SMB share is accessed by the user.
All of this means that users need to be cautious even when accessing network files as the computer criminals can easily create such fake SMB servers and serve malware files. The security community rates the problem as as particularly sensitive because of the fact that malicious users can execute this strategy particularly easy once a target network has been infiltrated.