Security researchers from CyberArk have found a new method that enables malware to bypass Windows Defender, which is an anti-malware component of Microsoft Windows and the standard security software that combined with all Windows operating systems.
According to the researchers:
“Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; the folks at Microsoft Security Response Center (MSRC) think there should be a feature request to handle this situation.”
To start the Illusion Gap technique, the attacker must persuade a user to execute a file hosted on a malicious SMB server under his control. This is not as difficult as it seems, as a single shortcut file is all that’s required.
The issue happens after the user double-clicks on the malicious file. Usually, Windows will request from the SMB server a copy of the file for the task of building the process that executes the file, also Windows Defender will request a copy of the file to scan it.
“When you run an executable, most Antiviruses will catch the operation by a kernel callback (nt!PspCallProcessNotifyRoutines and nt!PsCallImageNotifyRoutines) and then scan the file, most commonly by requesting its user-mode agent using to do so, using ioctls/fastio/sharedmem/APC/etc.”