ESET bypassed and disabled (security risk)

[Ahmeduchiha 2]

I found video shows that ESET services and drivers can be tampered with and get disabled.

 

App Review - Eset's challenge. | MalwareTips Forums

I hope ESET fix and find solution for this vulnerability or security issue.

 

Best Regards,

 

[Nightowl 202]

I don't know what commands were in the bat , but could legitmate commands shutdown ESET as a normal user would , I bet they do , but one thing that would stop all this I think is a Passworded settings , once getting to shutdown command/kill , the password would stop it.

But I think also HIPS or Self Defense didn't detect it or didn't see this as an attack.

I don't know but I think the password would prevent it , unless the kernel was shutdown or whatever was done , I don't know , but I guess they shutdown the kernel or the process , a password would prevent this unless it's vulnerable.

Edited March 12 by Nightowl

[itman 1,659]

Quote

I posted it to show that the method is quite general and not related to the particular AV. It shows that kernel drivers can be disabled from UserLand without exploiting vulnerable drivers. Please note: The video is not an Eset protection test, because the presented method is not a full real-world attack.

It is possible that the method can be used as a part of a real-world attack, especially in Enterprises.
The presented method can be stopped by configuring Eset HIPS to block CMD (cmd[.]exe). But, several LOLBins can be used instead of CMD.

https://malwaretips.com/threads/esets-challenge.129485/post-1078600

I have had Eset HIPS configured to ask mode for cmd.exe child process startup for some time.

Edited March 12 by itman

[Nightowl 202]

1 minute ago, itman said:

https://malwaretips.com/threads/esets-challenge.129485/post-1078600

Also by group policy can be disabled , and it needed Admin settings to run , which normally users don't have unless it's a home computer and the person is the admin.

[itman 1,659]

The point of Andy Full's test is Eset should be VBS protecting its critical drivers;

Quote

The second part of the attack can block many AV kernel drivers. It cannot block drivers protected by VBS (Virtualization-based Security).

The problem is many older PCs don't meet the minimum requirements for VBS protection: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs

However, the main protection mechanism of VBS is HVCI - Memory Integrity which my ancient PC supports;

Quote

One such example security solution is memory integrity, which protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Kernel mode code integrity is the Windows process that checks all kernel mode drivers and binaries before they're started, and prevents unsigned or untrusted drivers or system files from being loaded into system memory. Memory integrity also restricts kernel memory allocations that could be used to compromise the system, ensuring that kernel memory pages are only made executable after passing code integrity checks inside the secure runtime environment, and executable pages themselves are never writable. That way, even if there are vulnerabilities like a buffer overflow that allow malware to attempt to modify memory, executable code pages cannot be modified, and modified memory cannot be made executable.

Edited March 12 by itman

[SeriousHoax 83]

Web protection not working properly, self-defense somewhat bypassed. Not a good week for ESET 🤔

An ESET official should privately contact Andy Ful on this matter to learn the method he used to disable ESET. He'll only share the details privately to an ESET official if they reach out to him asking the details and possibly take measure so that it doesn't happen again. As Andy Ful suggested, the preventive measure for this should not be a mere signature-based solution. 

[Ahmeduchiha 2]

it would be great if ESET protect itself and it's drivers from any tamper as many users disable core isolation for extra performance or compatibility issues also, blocking CMD is not best approach as I use it for sfc/scannow command to repair windows or any other useful commands interactive mode or asking the user  allow or block is not perfect as many users including myself don't know if it's safe  to allow this process or not because I don't know if it's malicious or not that's why I fully depend on automated decisions for AV.

 

providing extra layer to improve ESET self-defense would be great to protect against even future threats that might bypass windows security services.

unfortunately some ESET technologies like ransomware shield relies on Intel TDT which available on newer gen from 12th gen and above this leave some users with AMD system or older Intel CPUs vulnerable to ransomware attacks.

 

ESET lately relies heavily on cloud to protect the system it's good but, it has it's short come which is if the internet is slow or disconnected the user will be vulnerable and ESET HIPS not enough or not good enough for new threats it's less capable than Kaspersky system watcher and application control and Microphone protection is missing in ESET.

[itman 1,659]

5 hours ago, Ahmeduchiha said:

unfortunately some ESET technologies like ransomware shield relies on Intel TDT which available on newer gen from 12th gen and above

Eset supports older Intel processors. The initial list is shown in this Eset KB article: https://support.eset.com/en/kb8336-intel-threat-detection-technology-tdt-supported-processors . This list dates to 2022 and additional later dated processors have been added.

Edited March 12 by itman

[Ahmeduchiha 2]

but, what about AMD CPU users, also, regarding ESET exploit it must be mitigated properly and not just rely on core isolation the product must not be vulnerable to such exploit as this put many users at risk specially gamers and many other users who are not aware about security and such exploits, people prefer performance so, they might disable core isolation or VBS.

I hope ESET take a step and patch this problem and to prevent any future exploits and OfCourse improve product security and self-defense or, many users might switch to other product like Kaspersky.

[itman 1,659]

Just a clarification here.

If you look at the video carefully, you will observe that Win HVCI - Memory Integrity is disabled. Also confirmed by this malwaretips.com comment:

Quote

I reposted a new video because in the old one, I forgot to mention that Memory integrity is disabled (incompatible Intel driver in Virtual Machine).

With Win HVCI - Memory Integrity enabled, this bypass won't work.

BTW - Win HVCI - Memory Integrity is by far the most important Win 10/11 security protection. It prevents kernel mode access from user mode as was done in this test. It should never be purposely disabled.

[Nightowl 202]

9 hours ago, itman said:

It should never be purposely disabled.

Unfortunately many of those who run VMs will have to disable it to enable intel vt-x/amd-v for their virtual machines

Memory Integrity will prevent you from enabling this option for example in VMWare Workstation

[Ahmeduchiha 2]

Thank you for help. memory core isolation is enabled by default on my system and can't be disabled. so, I guess that I am secure from any kernel or advanced attack.