Windows Defender, which is by default an anti-threat software for Windows operating system can be bypassed using a technique called Illusion Gap. Security Researchers at CyberArk on this Thursday published a blog post explaining about this new technique of bypassing Windows Defender called Illusion Gap.
(Windows Defender is widely used as a default anti-malware program in windows systems and people rely on it a lot.)
The Researchers in their report mentioned that they encountered a strange behavior in the file scanning process of Windows Defender.
“Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; the folks at Microsoft Security Response Center (MSRC) think there should be a feature request to handle this situation.” said Security Researcher at CyberArk in their Blog post.
Attack Process
All you have to do is make the target execute a file which is hosted in the attackers’ server. When a target runs the malicious file, windows will request a copy of the file to attackers SMB server for Windows PE loader (Windows task building process), Windows Defender also requests a copy of the file to the SMB server for scanning it, when the request is made from Windows Defender the server will either deny the request or will send a clean file for scanning.
Here is a pictorial representation of the explanation by CyberArk.
Researchers still haven’t tested this technique on other anti-viruses.
Note: For PDF’s on Kali Linux and its tools follow this link.