back to article Microsoft downplays alarm over Windows Defender 'flaw'

Security researchers have uncovered what they believe is a vulnerability that allows malware to completely bypass Windows Defender. Microsoft dismissed the report as of "limited practical applicability" in practice (i.e. a low-risk threat). The team at CyberArk Labs nonetheless claims the security shortcoming could impact tens …

  1. Anonymous Coward

    Security Researchers

    There are some very good ones, then some just seem to be little more than click bait generators.

    If you do this and this, then this, ignore this, grant admin to this, ignore 10 warnings, and do this, sit at the pc and this, then this, be a domain admin and then click and ignore this, then you can "Wow Hack the PC!"

    1. Anonymous Coward
      Anonymous Coward

      Re: Security Researchers

      I agree. This is far into the theoretical, as it assumes an utter neglect for all warning - one is maybe acceptable, but ignoring all warnings ventures into the implausible. I don't think it's a concern.

      It's basically saying that if you let a complete stranger into the house and then leave him or her alone with your wallet after watching a wanted notice for them on TV, there's a chance that you may be short of a few quid when they leave. Well, duh - most people I know don't exactly struggle to avoid that situation, even without explicit warning.

      Genuinely nothing to see here, please move along.

      1. DailyLlama

        Re: Security Researchers

        "This is far into the theoretical, as it assumes an utter neglect for all warning - one is maybe acceptable, but ignoring all warnings ventures into the implausible"

        You've never seen users just clicking boxes to make them disappear then? Most people don't even read them, just click OK to get it off the screen.

    2. nuked

      Re: Security Researchers

      CyberArk appear to be a pretty big deal in the field, and I'm sure MS are not at all motivated to underplay the severity of a vulnerability in their flagship protection software...

    3. Tigra 07
      Thumb Down

      Re: Security Researchers

      This looks the equivalent of complaining to Microsoft that it's their fault the user can manually install malware if they do everything possible to prevent the system from stopping it...

      Yeah, it's possible to do a lot of things if you deactivate the security, manually install a virus, give it admin privileges to run, etc. As much as I like Windows bashing, this Security Researcher sounds like an attention whore.

      1. Naselus

        Re: Security Researchers

        "As much as I like Windows bashing, this Security Researcher sounds like an attention whore."

        CyberArk have prior form in that area, tbh - I can recall at least two other 'security bugs' they've found which were beyond ridiculous. One required the attacker to already have admin access to the box, which rather leaves you wondering what they were going to use the flaw to do.

        1. Tigra 07

          Re: Security Researchers

          And another involved a bug where the system was susceptible if the Researcher first donwgraded the system to Windows XP and manually installed malware?

    4. oxfordmale78

      Re: Security Researchers

      Never underestimate the stupidity of only need one of them.

      1. Korev Silver badge

        Re: Security Researchers

        Yep and then they make you Wannacry

  2. Anonymous Coward
    Anonymous Coward

    Not a problem...

    If you run Windows then your incoming network traffic will be endless Windows updates, and your outgoing traffic will be all your documents winging their way to Microsoft’s telemetry servers, and then on to ad agencies worldwide. No spare bytes on the line for rogue SMB queries.

  3. Missing Semicolon Silver badge

    The revelation...

    is that Defender doesn't scan the executable as it is loaded by CreateProcess, but separately opens the file, scans the data it finds, then allows CreateProcess to continue.

    This is ripe for exploitation by anything tyhat can also hook file system reads.

    1. Anonymous Coward
      Anonymous Coward

      Re: The revelation...

      My guess is that even if it hooks CreateProcess(), it will later use file functions separately to open and read the file. If you can spot who is asking to read the file, and pass different data. it will work.

      Otherwise the data loaded by CreateProcess() should be first sent to the AV - but CreateProcess() may not read the whole file - i.e. resources may be loaded on-demand by application code, thereby an antimalware solution may need to read the file separately anyway.

      Of course it's much easier to perform the trick on SMB than locally (you would have rootkitted the local machine already to perform that).

    2. clocKwize

      Re: The revelation...

      Hooking these calls in other processes is something that would require admin privileges, and if its against a built-in app (explorer, etc), would have to disable something (can't remember what its called) to work still... Chances are, if you're that far in, you don't need to get around defender any more

  4. DontFeedTheTrolls

    Is it a potential attack vector? Yes

    Is it easy to exploit? No

    Should Microsoft fix it? Yes

    When should Microsoft fix it? Within the regular lifecycle of low priority fixes.

  5. Zippy's Sausage Factory

    So, users have to click through a boatload of warnings to make it happen?

    Hmm... I've known users who are worse.

    Case in point: a user calls me (DBA, at the time) directly, bypassing helpdesk, screaming because he can't print. Yes, he's logged in. Yes, he can open the print queue. It says "offline - error". What am I going to about it?

    So I ask if he has checked to see if the printer is plugged in.

    Well yes it is. But there's smoke coming out of it, would that cause a problem?

    Since then, users have failed to surprise me.

    1. iron Silver badge

      Your first mistake was asking him anything. You should have told him to call the helpdesk and hung up.

    2. Semtex451


      Look I can't see *Boatload* listed on the El Reg or SI Unit tables.

      Could someone help or put me out to pasture (rivet gun)?

      1. DJO Silver badge

        Re: *Boatload*

        "Boatload" is a derivation of "shipload" which is a bowdlerised version of "shitload" so as boats are smaller than ships I'd propose 10 boatloads = 1 shitload/shipload.

        1. I ain't Spartacus Gold badge

          Re: *Boatload*

          How does this boatload/shipload/shitload metric relate to the old imperial shedload?

          1. PeteA

            Re: *Boatload*

            1 shitload : 0.89 shedloads in my neck of the woods. And don't forget the fucktonne, which is so big I can't imagine it.

            1. Anonymous Coward
              Anonymous Coward

              Re: *Boatload*

              We were always advised to use 'metric fucktonne'. I assume that must be somehow smaller than a fucktonne. I guess from those instructions that fucktonne must be imperial..

              1. Will Godfrey Silver badge

                Re: *Boatload*

                Doh. There is no trailing 'ne' in fuckton - that's a bit of French affectation reserved for Metric measures.

                1. I ain't Spartacus Gold badge

                  Re: *Boatload*

                  I agree. It must be a fuckton. Because you can also have a metric craptonne.

  6. tiggity Silver badge

    Do they have to click through lots of warnings?

    Say a network is reasonably locked down but you have compromised one machine on that network, then you could run your own malicious SMB server that does this trick, without generating lots of messages (especially if the machine is something used a lot such as a document repository machine)

  7. Anonymous Coward
    Anonymous Coward

    "This doesn't seem to be a security issue but a feature request, [...]"

    It's not a bug - it's a feature.


  8. james 68

    Funnily enough...

    Mostly unrelated other than involving Defender and malware.

    Just two days ago I opened Defender to update and run a full scan (as I usually do once a week to supplement the normal automated quick scans and the active scanning), anyone care to guess what happened when the update finished downloading?

    Defender marked its own update as "Severe - Trojan:Win32/Vagger!rfn" and threw it into quarantine.

    Yay me.

    Rather than faff around I just formatted and reinstalled, I keep regular backups so nothing was lost and all was again well. To many this may seem an extreme reaction, but without knowing if the update was compromised or if Defender itself was compromised and hence quarantining any updates which might kill the infection I considered it the best course of action. Either way I am unimpressed with the security of Defender.

  9. Inventor of the Marmite Laser Silver badge

    There ARE PLENTY of users THAT stupid

    Like it sez ^^^^

    1. kain preacher

      Re: There ARE PLENTY of users THAT stupid

      And for those uses you would find your self re imaging their PC any ways. If no9t for this exploit but for some thing else.

  10. pixl97


    All this talk of "must trust an untrustworthy .exe goes away the first moment makes a plug-in for Samba that can be used as part of a remote compromise. Suddenly your 'trusted' NAS can pick ilk at your Windows boxes and it will be very confusing as to what is occurring.

  11. chivo243 Silver badge

    Drunk, horny looking for porn

    I bet they would click away rights to their first born! Like Bender said: "Warning, perform virus scan? Pffft, I'm waiting for porn over here."

    never underestimate nasty needs...

    1. Anonymous Coward
      Anonymous Coward

      Re: Drunk, horny looking for porn

      "never underestimate nasty needs..."

      never underestimate human nature...


  12. Anonymous Coward
    Anonymous Coward


    That's all fine and well. When the Wannacrypt came out - I ensured that SMB was killed as a process. Reducing the target footprint means that the exploit is unlikely to be used.

    1. Anonymous Coward
      Anonymous Coward

      Re: SMB

      You may stop SMB-related services in a simple stant-alone PC, you can't do that in a AD domain, for example.

      1. Anonymous Coward
        Anonymous Coward

        Re: SMB

        Yes you can...

  13. TVU Silver badge

    "Microsoft downplays alarm over Windows Defender 'flaw'"

    ^ Well, that's a shock! Who'd have thought that a Redmond operating system would have any security vulnerabilities.

  14. Anonymous Coward
    Anonymous Coward

    Stating the obvious

    Win Defender isnt that good.

    Bears go for jobbies in the woods.

    Pope probably not a Jew.

    Trumpos Mentis probably means the opposite of Compos Mentis.

  15. Gis Bun

    "To be successful, an attacker would first need to convince...." Shouldn't be too hard for the average novice yesterday. Most of them get excited/nervous about anything they don't understand.

  16. InNY


    <quote>To be successful, an attacker would first need to convince a user to give manual consent to execute an unknown binary from an untrusted remote location. The user would also need to click through additional warnings in order to grant the attacker Administrator privileges</quote>

    Isn't this the standard behaviour of most people? Absolutely nothing out of the ordinary as far I can tell.

  17. Howard Hanek

    Right's the 'impractical' applicability that gets you everytime.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like