Jump to content

MichaelEngstler

Members
  • Posts

    1
  • Joined

  • Last visited

About MichaelEngstler

  • Rank
    Newbie
    Newbie

Profile Information

  • Gender
    Male
  • Location
    Israel
  1. Hi Guys, It's Michael from Cybellum. ESET has done a great job in designing its AV and its self-protection, but we found a few issues that needed to be fixed in order improve the way ESET protects itself. That's why we decided to contact ESET at November 2016 and work with them together. We believe our mutual work has improved ESET's security, and even received as gratitude an official acknowledgement from ESET for our discovery (attached). What were these issues? 1. Non Protected Processes. We found a list of processes that are not Protected Processes (including egui.exe, attached) and therefore could suffer from code injection vulnerabilities like DoubleAgent. More over, most of these processes registry keys where not protected by ESET Registry Protection and could be modified by an attacker. We knew from the beginning that ekrn.exe was a Protected Processes and have never stated that it's vulnerable, our focus was rather on exploiting the non Protected Processes. 2. ESET Registry Protection Bypass. Although most of the time ESET did manage to protect its most crucial keys (ekrn.exe and egui.exe) on some occasions it failed to protect them leaving an open door for attackers to directly attack ekrn.exe and egui.exe. We are not sure why this is happening, but I'v created a POC video demonstrating an ESET Registry Protection Bypass using DoubleAgent. This video was done a few minutes ago, so it obviously affects the latest version of ESET. It's important to note that except from these issues, ESET has done a very good job protecting itself and managed to block everything we threw at it. ESET has also done a great job communicating with us, and hopefully a new patch would be released soon to close the issues that were left open. Michael Engstler, Co-Founder & CTO, Cybellum
×
×
  • Create New...