There is a vulnerability that allows any known malware to bypass Windows Defender and possibly other antiviruses.
“Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all,” said Kasif Dekel, a researcher at CyberArk Labs. “Sounds weird, right? Depends on who you ask.”
The attack technique affects the scanning process over SMB shares.
In most cases, antivirus applications find the execution of an executable file by a kernel callback and then scan the file, usually by requesting the user-mode agent to do so. The operation is different for executables already on the disk compared to those from a SMB share, Dekel said in a blog post.
If the executable file is already on the hard drive, the antivirus won’t scan the process creation, because it scanned the file creation. However, the antivirus would scan the process creation when the executable is run directly from a SMB share, Dekel said.
One of the attack vectors involves tricking the antivirus into scanning a different file than the one actually executing. To ensure one file is served to the Windows PE Loader and another to Windows Defender, a custom implemented SMB server is used.
When the process creation is made by Windows PE Loader and a request is made to the SMB server for the executable file, a malicious file can then end up delivered. However, when Windows Defender requests the executed file, a benign file is served to ensure the antivirus doesn’t stop the execution.
To bypass Windows Defender, an attacker could implement the SMB protocol and create a “pseudo-server” capable of differentiating between normal requests and those coming from Windows Defender.