Windows Defender, which is by default an anti-threat software for Windows operating system can be bypassed using a technique called Illusion Gap. Security Researchers at CyberArk on this Thursday published a blog post explaining about this new technique of bypassing Windows Defender called Illusion Gap.
(Windows Defender is widely used as a default anti-malware program in windows systems and people rely on it a lot.)
The Researchers in their report mentioned that they encountered a strange behavior in the file scanning process of Windows Defender.
“Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; the folks at Microsoft Security Response Center (MSRC) think there should be a feature request to handle this situation.” said Security Researcher at CyberArk in their Blog post.
All you have to do is make the target execute a file which is hosted in the attackers’ server. When a target runs the malicious file, windows will request a copy of the file to attackers SMB server for Windows PE loader (Windows task building process), Windows Defender also requests a copy of the file to the SMB server for scanning it, when the request is made from Windows Defender the server will either deny the request or will send a clean file for scanning.
Here is a pictorial representation of the explanation by CyberArk.
Researchers still haven’t tested this technique on other anti-viruses.
Note: For PDF’s on Kali Linux and its tools follow this link.
- Making Yourself A Free Text To Speech Program In Linux in 5 Minutes! - 27th February 2018
- Norway Healthcare Data Breach, Up to 2.9 Million People Affected - 22nd January 2018
- OnePlus Hacked: 40,000 Customers Affected by the Hack - 21st January 2018