A new technique called Illusion Gap can bypass Windows Defender

  • 648
  •  
  •  
  • 1
  •  
  •  
  •  
    649
    Shares

Security researchers from CyberArk have found a new method that enables malware to bypass Windows Defender, which is an anti-malware component of Microsoft Windows and the standard security software that combined with all Windows operating systems.

According to the researchers:
“Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; the folks at Microsoft Security Response Center (MSRC) think there should be a feature request to handle this situation.”

To start the Illusion Gap technique, the attacker must persuade a user to execute a file hosted on a malicious SMB server under his control. This is not as difficult as it seems, as a single shortcut file is all that’s required.

The issue happens after the user double-clicks on the malicious file. Usually, Windows will request from the SMB server a copy of the file for the task of building the process that executes the file, also Windows Defender will request a copy of the file to scan it.

“When you run an executable, most Antiviruses will catch the operation by a kernel callback (nt!PspCallProcessNotifyRoutines and nt!PsCallImageNotifyRoutines) and then scan the file, most commonly by requesting its user-mode agent using to do so, using ioctls/fastio/sharedmem/APC/etc.”

The following two tabs change content below.
Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]
Avatar

Latest posts by Unallocated Author (see all)

Avatar

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Do NOT follow this link or you will be banned from the site!