CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Security Infrastructure

Flaw Allowed Attackers to Bypass FireEye Detection Engine

Researchers at Germany-based Blue Frost Security discovered a high severity vulnerability in FireEye products that allowed malicious actors to bypass the company’s detection engine and temporarily whitelist malware.

Researchers at Germany-based Blue Frost Security discovered a high severity vulnerability in FireEye products that allowed malicious actors to bypass the company’s detection engine and temporarily whitelist malware.

The vulnerability was reported to FireEye in September 2015 and it was patched the next month with the release of FireEye Operating System (FEOS) updates. However, in mid-January, FireEye asked Blue Frost to postpone its initial disclosure date by 30 days because many customers had still not applied the updates.

The flaw is related to FireEye’s Virtual Execution Engine (VXE), a system used by the company’s products to performs dynamic analysis on files. The list of affected products includes FireEye Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX).

When conducting analysis on a Windows machine, the engine copies the targeted binary into a virtual machine with the name “malware.exe.” Before the file is analyzed, a batch script is used to copy the binary to a temporary location and rename it to its original filename.

However, researchers discovered that since the original filename is not sanitized, an attacker can assign the file a different name by tampering with Windows environment variables.

The batch script normally attempts to execute the file in the virtual machine and monitor it for malicious behavior. However, since the filename is invalid, the copying operation fails and the file is no longer executed, which results in the system detecting no malicious activity.

If a file is marked as non-malicious, its MD5 hash is added to a list of binaries that have already been analyzed. Files matching the MD5 hashes added to this whitelist are not analyzed until the next day when the list is cleared.

“This effectively allows an attacker to whitelist a binary once and then use it with an arbitrary file name in a following attack. The initial binary with the environment variable embedded in its filename could e.g. be hidden in a ZIP file together with several other benign files and sent to an unsuspicious email address,” Blue Frost Security said in its advisory. “Once this ZIP file was downloaded or sent via email a single time, the MD5 hash of the embedded malware would be whitelisted and the binary could then be used with an arbitrary file name without detection.”

Advertisement. Scroll to continue reading.

FireEye patched the vulnerability with the release of FX 7.5.1, AX 7.7.0, NX 7.6.1 and EX 7.6.2.

“On September 30th, 2015 FireEye confirmed that Blue Frost Security had discovered an evasion technique impacting some of its products. FireEye takes the security of its products and its customers very seriously and hence updates fixing the evasion were released on October 5th and October 15th,” FireEye told SecurityWeek

“We have not seen any active exploits of the evasion technique against customers, but highly urge customers to update to the latest FEOS as soon as possible to ensure they are secure. We greatly appreciate the innovative research that the security community brings us in order to protect our customers against advanced threats,” the company added.

Related: FireEye Patches Critical Flaw Found by Google Researchers

Related: Critical Flaw in FireEye Appliances Exploitable by Sending an Email

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Security Infrastructure

While silos pose significant dangers to an enterprise's cybersecurity posture, consolidation serves as a powerful solution to overcome these risks, offering improved visibility, efficiency,...