Jump to content

THE ADVENTURES OF AV AND THE LEAKY SANDBOX


itman
 Share

Recommended Posts

We describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises which employ strict egress filtering - that is, endpoints have no direct Internet connection, or the endpoints’ connection to the Internet is restricted to hosts required by their legitimately installed software. Assuming the endpoint has a cloud-enhanced anti-virus product installed, we show that if the anti-virus (AV) product employs an Internet-connected sandbox as part of its cloud service, it actually facilitates such exfiltration. We release the tool we developed to implement the exfiltration technique, and we provide real-world results from several prominent AV products (by Avira, ESET, Kaspersky and Comodo).

Ref. https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf

Link to comment
Share on other sites

4 hours ago, itman said:

We describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises which employ strict egress filtering - that is, endpoints have no direct Internet connection, or the endpoints’ connection to the Internet is restricted to hosts required by their legitimately installed software. Assuming the endpoint has a cloud-enhanced anti-virus product installed, we show that if the anti-virus (AV) product employs an Internet-connected sandbox as part of its cloud service, it actually facilitates such exfiltration. We release the tool we developed to implement the exfiltration technique, and we provide real-world results from several prominent AV products (by Avira, ESET, Kaspersky and Comodo).

Ref. https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf

thx for sharing.. hmm.. I once used similar way described in this doc to sniff the av sandbox :rolleyes:

Link to comment
Share on other sites

Forgot to add that Eset mitigated the issue. Appears Kaspersky is the only one who intends to do nothing about the issue:

VENDOR STATUS

Cloud AV sandboxes

• Avira – fixed on May 2nd (10h30m!).

• ESET – fixed on May 15th or before.

• Comodo – fixed on May 26th .

Kaspersky - provided to us on July 14th with the following statement: "If customers are concerned about this scenario, they may configure their device and security settings accordingly.

Edited by itman
Link to comment
Share on other sites

20 hours ago, itman said:

Forgot to add that Eset mitigated the issue. Appears Kaspersky is the only one who intends to do nothing about the issue:

VENDOR STATUS

Cloud AV sandboxes

• Avira – fixed on May 2nd (10h30m!).

• ESET – fixed on May 15th or before.

• Comodo – fixed on May 26th .

Kaspersky - provided to us on July 14th with the following statement: "If customers are concerned about this scenario, they may configure their device and security settings accordingly.

I remembered Microsoft's username in its engine was "JohnDoe". Not sure if they have fixed it or not.

Edited by 0xDEADBEEF
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...