Self-Defense Antivirus
As practice shows, any antivirus by design is vulnerable, and implementing the next workaround against it is not a big problem.
Our research center was interested in checking how developers of anti-virus solutions monitor the availability of descriptions of attack methods on the Internet. And is it always necessary to detect a 0-day vulnerability in an antivirus attack or is it enough to just find useful information on the forums?
Most of the analytical works devoted to this topic, as a rule, are focused on assessing the effectiveness of detection of malicious code by antiviruses, the performance of antiviruses, etc. As part of our study, we tried to find out whether solution developers of this class follow trends and modify their products in accordance with new attack methods.
Self-defense of an antivirus and its bypass in some cases means bypassing the entire mechanism for detecting malicious code. This is often used in the implementation of targeted attacks or in programs with destructive, blocking this software functionality.
After the malicious code has been introduced into the anti-virus process, it is able to exist for a long time and imperceptibly in the user's system, which, undoubtedly, is a consequence of the main logical flaw of the self-defense architecture, as well as the methodology for using trusted process lists.
Malicious code is being improved along with the development of antivirus technologies, which is very similar to some kind of arms race. All new threats appear that compromise the software of this class, disable it, completely deactivate its functionality, etc. As a result, there are growing requirements for the development of antivirus solutions that are positioned to protect after the fact. Antiviruses provide functionality for self-defense and protection against active threats. Perhaps the most controversial software mechanism of this class is developing - the self-defense mechanism.
If we systematize the internal structure of several anti-virus products, we can summarize the architecture of self-defense. As a result, we obtain the following features inherent in this mechanism and its implementation:
And, finally, the most controversial moment in the work of the self-defense mechanism: anti-virus processes become a kind of super-privileged entity, they are inaccessible to the attack of both the attacker and the ordinary user.
The consequences of introducing malicious code into the antivirus:
To conduct the study, we selected several antivirus products that meet the following requirements:
The following list turned out (At the time of testing, these were the latest versions):
Methods were tested on the Windows 7 operating system, x86_64 / x86_32, which was installed on the VMware virtual machine. In addition, individual solutions were installed on physical hardware (due to the use of VT-x / AMD-V hardware virtualization mechanisms).
For this study, several universal techniques were applied, each of which is not aimed at a specific solution and does not use the architectural weaknesses of a particular software.
Techniques such as ProxyInject, Duplicate Handle, Reparse Point, PageFile, RegSafe / RegRestore, and Shim Engine were selected. For a more detailed description of the techniques, we advise you to refer to the original text of the study “Self-defense of antiviruses” .
And for testing, a special program was used, which receives data on the equipment and the target as parameters.
Thus, the test results with a certain methodology on this sample of technicians revealed a very interesting result: the domestic anti-virus developer improved and built his defenses better than foreign vendors did.
Obviously, some companies simply do not track the evolution of public attack methods, only confirming the absurdity of their chosen architecture.
It is also worth noting that, despite all the results, the architecture as a whole does not change, and developers respond to the attacks after the fact and protect themselves from the already known attack mechanisms. This gives attackers greater freedom of action, and also provides opportunities for improving methods in the future. And until the situation changes, attackers will always be one step ahead of defense.
Our research center was interested in checking how developers of anti-virus solutions monitor the availability of descriptions of attack methods on the Internet. And is it always necessary to detect a 0-day vulnerability in an antivirus attack or is it enough to just find useful information on the forums?
Introduction
Most of the analytical works devoted to this topic, as a rule, are focused on assessing the effectiveness of detection of malicious code by antiviruses, the performance of antiviruses, etc. As part of our study, we tried to find out whether solution developers of this class follow trends and modify their products in accordance with new attack methods.
Self-defense of an antivirus and its bypass in some cases means bypassing the entire mechanism for detecting malicious code. This is often used in the implementation of targeted attacks or in programs with destructive, blocking this software functionality.
After the malicious code has been introduced into the anti-virus process, it is able to exist for a long time and imperceptibly in the user's system, which, undoubtedly, is a consequence of the main logical flaw of the self-defense architecture, as well as the methodology for using trusted process lists.
Antivirus Self-Defense
Malicious code is being improved along with the development of antivirus technologies, which is very similar to some kind of arms race. All new threats appear that compromise the software of this class, disable it, completely deactivate its functionality, etc. As a result, there are growing requirements for the development of antivirus solutions that are positioned to protect after the fact. Antiviruses provide functionality for self-defense and protection against active threats. Perhaps the most controversial software mechanism of this class is developing - the self-defense mechanism.
If we systematize the internal structure of several anti-virus products, we can summarize the architecture of self-defense. As a result, we obtain the following features inherent in this mechanism and its implementation:
- Protecting your own files and directories
- It is usually implemented by a kernel level file filter.
- Protecting your own configuration data in the registry
- It is implemented using a combination of interceptions and / or the RegistryCallback interface of the kernel.
- Antivirus Interface Protection
- Access control to various control interfaces in ring0.
- Protecting your own processes
- Implementations vary, it can be a set of different intercepts of the kernel system functions, object types, using callback to create a process.
And, finally, the most controversial moment in the work of the self-defense mechanism: anti-virus processes become a kind of super-privileged entity, they are inaccessible to the attack of both the attacker and the ordinary user.
The consequences of introducing malicious code into the antivirus:
- Global disable / block antivirus
- White List Manipulation
- Covert operation in a super privileged process
- Firewall Rules Bypass
- ...
Test methodology
Consider Antivirus Solutions
To conduct the study, we selected several antivirus products that meet the following requirements:
- Software that uses a self-defense architecture claims to be capable of responding to an active, launched threat, and has the function of proactive defense;
- Included in the list of the most popular solutions that were previously tested using various methodologies.
The following list turned out (At the time of testing, these were the latest versions):
| Developer | Product Name Version |
|---|---|
| Mcafee | McAfee Total Security 2015 (15.4.0.470.7) |
| ESET | ESET Smart Security (8.0.312.3) |
| Symantec | Norton Security (22.2.0.31) |
| Avg | AVG Internet Security 2015 (2015.0.5941) |
| Bitdefender | BitDefender Total Security 2015 (18.20.0.1429) |
| Trend micro | Trend Micro Antivirus + 2015 (AMSP 3.5.1186) |
| Avira | Avira (15.0.8.652) |
| Dr.Web | Dr.Web 10 (10.0.1.03310) |
| Kaspersky | Kaspersky Internet Security 15 (15.0.2.361) |
| Panda | Panda Internet Security 2015 (15.1.0) |
| Avast | Avast Free Antivirus (2015.10.2.2218) |
Test environment
Methods were tested on the Windows 7 operating system, x86_64 / x86_32, which was installed on the VMware virtual machine. In addition, individual solutions were installed on physical hardware (due to the use of VT-x / AMD-V hardware virtualization mechanisms).
Applied Techniques
For this study, several universal techniques were applied, each of which is not aimed at a specific solution and does not use the architectural weaknesses of a particular software.
All techniques used in this testing are available on open Internet resources for 1-3 years. Their code is not shown intentionally. Links to public sources describing these techniques can be provided only to antivirus companies only at their official request.
Techniques such as ProxyInject, Duplicate Handle, Reparse Point, PageFile, RegSafe / RegRestore, and Shim Engine were selected. For a more detailed description of the techniques, we advise you to refer to the original text of the study “Self-defense of antiviruses” .
And for testing, a special program was used, which receives data on the equipment and the target as parameters.
results
For a specific statement of the problem, the same techniques are used by our specialists during penetration tests. In the process, you have to use both the previously mentioned and develop new techniques.
It is worthwhile to understand that, in addition to these techniques, there are many others (inaccessible publicly) that are also aimed at introducing an antivirus product into work or stopping its work. And of course, there are universal tools and focused on a specific antivirus product.
conclusions
Thus, the test results with a certain methodology on this sample of technicians revealed a very interesting result: the domestic anti-virus developer improved and built his defenses better than foreign vendors did.
Obviously, some companies simply do not track the evolution of public attack methods, only confirming the absurdity of their chosen architecture.
It is also worth noting that, despite all the results, the architecture as a whole does not change, and developers respond to the attacks after the fact and protect themselves from the already known attack mechanisms. This gives attackers greater freedom of action, and also provides opportunities for improving methods in the future. And until the situation changes, attackers will always be one step ahead of defense.