Microsoft and several major cybersecurity companies have responded to a researcher’s disclosure of a method for remotely disabling their antivirus products by leveraging the Windows safe mode.
Researcher Roberto Franceschetti last week published an advisory, a blog post, a video and proof-of-concept (PoC) exploits demonstrating a method that could be used by an attacker to disable anti-malware products from Microsoft (Windows Defender), Avast, Bitdefender, F-Secure and Kaspersky.
The researcher showed how an attacker with elevated privileges could run a script that locally or remotely disables an antivirus by rebooting the device in safe mode and renaming its application directory before its associated service is launched. Franceschetti said he managed to conduct successful attacks on Windows 10 and Windows Server 2016 against products from Microsoft, Avast, Bitdefender, F-Secure and Kaspersky even if they had anti-tamper features enabled.
While conducting an attack requires elevated privileges, Franceschetti argued that many Windows home users have local admin permissions. Moreover, in the case of companies, he noted, “If a large company had for example 100 users who were local admins to all the company’s workstations (ex. desktop/helpdesk staff) or their server admins, all I had to do was to trick ONE of them to launch a .bat file to disable antivirus protection on ALL of the endpoints in the company.”
“The whole point of implementing tamper protection on antivirus files, folders and Windows servers is to prevent even local admins from disabling AV protection. Have any of you tried to stop your AV services? You can’t! That’s the whole point of my exploit,” he wrote.
Response from Microsoft and antivirus vendors
The researcher believes this is a design flaw in Windows so he reported his findings to Microsoft. However, the tech giant closed his report due to the fact that the attack requires admin privileges.
“Reports that are predicated on having administrative/root privileges are not valid reports because a malicious administrator can do much worse things,” Microsoft said, telling the researcher that his submission “does not meet the bar for security servicing.”
The tech giant has confirmed for SecurityWeek that it does not plan on taking any action.
Franceschetti said there is not much antivirus vendors can do to prevent attacks, but noted that products from Bitdefender and Kaspersky did block some versions of his exploit — although he claimed he bypassed the detection by tweaking the exploit.
SecurityWeek has reached out to the vendors named in Franceschetti’s report and some of them say they do plan on taking steps to prevent potential attacks.
“This cybersecurity solutions bypass is possible because of the described design flaw in operating systems, and it is not a fault of the solutions themselves. As it is stated in the article, Kaspersky’s solution initially blocked the bypass, however the researcher was able to tweak it in order for it to work. We are currently working to provide generic protection for this kind of bypass, it will likely be released in the coming weeks,” said Kaspersky’s Anti Malware Research team.
Avast stated, “We have confirmed Roberto Franceschetti’s finding that the described method can be used, in specific scenarios, to disable some antivirus protection suites. We believe this to be of a low severity because administrator privileges are required, and an administrator would be expected to have control of the device in question. Nevertheless, we’ve prepared a fix which is currently going through our quality assurance processes before being rolled out to our customers as soon as possible.”
F-Secure stated, “This type of scenarios where an attacker has already compromised a system and elevated themselves to admin are well-known in the cyber security industry. To attain this level of compromise, standard endpoint protection mechanisms will have already been bypassed multiple times. Those familiar with the art understand that standard endpoint protection mechanisms are not designed to combat such attacks. This is why we and many other cyber security companies emphasize the importance of endpoint detection and response (EDR) security solutions as a complement to preventative security products. Our own EDR offering is more than capable of detecting such attacks.”
Bogdan Botezatu, director of threat research and reporting at Bitdefender, said the company was made aware of the research prior to its publication and it has determined that “this is neither a vulnerability nor unexpected behavior.”
“The described attack scenario requires several prerequisites that disqualify it from being used remotely in a real life atack. For instance, it requires local administrative access, which means that the user is already in full control of the entire machine and can perform any action ranging from deleting or installing software to tampering with OS functions, registry keys, and files,” Botezatu explained.