Skip links

Researchers claim Windows Defender can be fooled into deleting databases

BLACK HAT ASIA Researchers at US/Israeli infosec outfit SafeBreach last Friday discussed flaws in Microsoft and Kaspersky security products that can potentially allow the remote deletion of files. And, they asserted, the hole could remain exploitable – even after both vendors claim to have patched the problem.

Speaking at the Black Hat Asia conference in Singapore, SafeBreach’s VP of Security Research Tomer Bar and security researcher Shmuel Cohen explained that Microsoft Defender and Kaspersky’s Endpoint Detection and Response (EDR) can be made to detect false positive indicators of malicious files – and then to delete them.

The attack relies on the fact that Microsoft and Kaspersky use byte signatures – unique sequences of bytes in file headers – to detect malware.

“Our goal was to confuse EDR by implanting malware signatures into legit files and make them think its malicious,” explained the researchers in their Black Hat presentation.

To achieve this, Bar and Cohen first found a byte signature associated with malware on the platform VirusTotal, then inserted it into a database – by doing things like creating a new user with a name that includes the signature.

The EDR program then deemed the database storing the signature to be infected by malware.

If EDR is set to delete infected files, it will do so. The pair argued that databases or virtual machines could therefore be deleted remotely.

At this point, readers might think this technique is nice in theory, but would require access to files.

The researchers point out such access is easy: registering as a new user on a website, and using a name that contains a byte signature, could see an EDR perceive a database as dangerous. So could using a byte signature in a comment on a video.

Whatever technique is used to get the signature into a file, if EDR deletes it then applications that rely on its presence will fail.

“You have a service that is trying to access the database. The database file is gone, because we inserted the malicious signature. So the service cannot start up,” Cohen explained.

The researchers found in their experience that the file deletion by EDR was irreversible from within the security tools – restoring data meant reverting to backups.

The implications of this scenario are unknown, because the researchers were scared of some of the potential outcomes associated with testing vulnerabilities.

“We thought: ‘All Azure clouds are run with Microsoft products and Defender exists on Azure’,” Cohen mused. “We really thought that we can attack Azure cloud with this attack, but we were really scared to try it because we don’t know the implication. We could really destroy a production database all over the world, and this could be irreversible. So we were really scared to try to do it ourselves.”

SafeBreach therefore reported its findings to Microsoft in January 2023, and in April of that year CVE-2023-24860 and a patch were issued.

Kaspersky did not release a fix at that time. The security vendor claimed the issue was not a security vulnerability because “the product’s behavior is more driven by design.” It did concede it was “planning some improvements to mitigate this issue.”

Cohen revealed he later tested Kaspersky’s product, and the mitigations seemed to work – but he cannot guarantee the patches cannot be bypassed.

“We chose to focus on Defender not because it’s Microsoft, but because it’s widely spread much more than Kaspersky,” he said.

To further test the Microsoft fix, the duo went out and found a different byte signature – and were able to bypass Redmond’s patch. In August 2023 SafeBreach again reported its findings to Microsoft, which again acknowledged their work with the December release of CVE-2023-3601.

At that point, finding further bypasses became harder. The patch implemented a whitelist, but the researchers were able to circumvent that with a PowerShell command to ignore exceptions.

“If the scanned file starts with 0xFD, and if the file size is aligned to 256 bytes, if both are true, it won’t trigger a detection even if a malicious signature was formed. So our goal is to bypass the whitelist, to trigger the deletion of another baseline,” explained Bar during the conference presentation.

A third report was the end of the line for Microsoft. The tech giant cited Microsoft Security Servicing Criteria for Windows, stating a “bypass of a defense-in-depth security feature by itself does not pose a direct risk as an attacker must also have found a vulnerability that affects a security boundary or they must rely on additional techniques such as social engineering to achieve the initial stage of a device compromise.”

As for the first two reports – the deletion bypass – Microsoft expressed appreciation for SafeBreach’s disclosures:

Cohen believes the problem is well understood by Microsoft, and agreed the software giant was amenable and collaborative. But he argued that the flaw is so rooted inside Defender that removing it entirely would require the product to be redesigned.

“It’s a very hard thing to solve,” the researcher told The Reg. Microsoft’s position is that users can block the attack vectors through means such as putting files in protected folders that Defender won’t touch, changing configurations, and other mitigations.

The overall lesson, according to Cohen and Bar, is that remote deletion vulnerabilities are especially difficult to fix when the security controls rely on byte signature detection.

“Patching should not be treated as a magic bullet, and other security layers should protect against a single point of failure,” suggested the duo. They warned that “security patches fixing vulnerabilities in security controls might introduce bypasses and unexpected behaviors.”

Defender and Kaspersky are not the only ones having difficulty with EDR as an offensive tool. Earlier on Friday, a very busy Cohen gave another presentation that focused on Palo Alto Networks Cortex XDR. He detailed how he bypassed significant security features of the anti-malware product. ®