A new technique called Illusion Gap can bypass Windows Defender

Security researchers from CyberArk have found a new method that enables malware to bypass Windows Defender, which is an anti-malware component of Microsoft Windows and the standard security software that combined with all Windows operating systems.

According to the researchers:
“Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; the folks at Microsoft Security Response Center (MSRC) think there should be a feature request to handle this situation.”

To start the Illusion Gap technique, the attacker must persuade a user to execute a file hosted on a malicious SMB server under his control. This is not as difficult as it seems, as a single shortcut file is all that’s required.

The issue happens after the user double-clicks on the malicious file. Usually, Windows will request from the SMB server a copy of the file for the task of building the process that executes the file, also Windows Defender will request a copy of the file to scan it.

“When you run an executable, most Antiviruses will catch the operation by a kernel callback (nt!PspCallProcessNotifyRoutines and nt!PsCallImageNotifyRoutines) and then scan the file, most commonly by requesting its user-mode agent using to do so, using ioctls/fastio/sharedmem/APC/etc.”

Related posts

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients

Anti-Spam WordPress Plugin Vulnerabilities Risked 200K+ Websites