Agnitum Outpost Security Suite 2-line proactive protection bypass

I previously stated this and even shared a video demonstration, but without revealing the details. Unfortunately, the Developer scored a bolt and did not respond to my letter about the problem (my appeal was registered on October 2, 2012 under the number sb-ru-02-121000048-t ). So I decided to show all the technical details. The following video demonstration was first shown at ZeroNights 2012 as part of the zeroday show.

Background

Such vulnerabilities are often found randomly. My case is no exception. Once, at 12 o’clock in the morning, on a full moon, I set myself the Outpost Security Suite and set the proactivation to maximum mode. In this mode, even a inserted new USB flash drive is not mounted in the system until you allow several actions in the anti-virus pop-up windows. Once when inserting a new flash drive, as usual, a pop-up window from the antivirus appeared, but I did not give consent to the installation. And in the usual way he blocked the computer (Win + L keys), leaving it for several minutes. What was my surprise when I returned, I found out that the flash drive was still mounted in the system! And here the fun began ...

The essence of the problem

In the training mode, Outpost proactive protection, upon detection of suspicious activity of the program, requests actions from the user. But if after the conclusion of such a dialog message Lock occurs (what happens when you press the Win + L keys), for an antivirus this is equivalent to resolution.

Automation of this process can be represented by such a bat-file consisting of 2 lines:

start 1.exe
ping 127.0.0.1 -n 10 -w 10000 > NULL & rundll32.exe user32.dll,LockWorkStation

Ping is needed here for a delay ( although there is a more elegant solution ), after which the Lock ( rundll32.exe user32.dll,LockWorkStation) command will be executed .
That is, we run the 1.exe file, wait a few seconds (so that the antivirus displays a window) and execute Lock.
Moreover, with Lock you can see how the antivirus icon changes from blue to green. This means that it goes from the training mode to the permission mode (everything that is not forbidden is allowed). Which weakens the protection system. For example, programs that are clearly not forbidden to go online will now go out. After logging in, the icon changes to blue again. ( UPD : This was in older versions (6.0). In recent versions it goes into lock mode, which does not weaken the protection at all. Thanks to Andersen for his remark on this )

Demonstration

The essence of the demonstration:

1. We check that the system does not have the “test test test service” service (we try to stop it, to which the system answers that there is no such service)
2. Run the bat-file (which will run the service installer)
3. Through DebugViewer, we see that the driver started AFTER the system lock, and not before
4. Again we try to stop the service "test test test service". This time successfully.

The following versions of Agnitum Outpost Security Suite were tested for vulnerability:

1. 7.5.3 (3942.608.1810)
2. 7.6 (3984.693.1842)

Upd (12/18/2012) manufacturer fixed the vulnerability in version 8.0 (4164.652.1856) dated December 17, 2012