back to article Microsoft blocks Trend Micro code at center of driver 'cheatware' storm from Windows 10, rootkit detector product pulled from site

Microsoft has blocked a Trend Micro driver from running on Windows 10 – and Trend has withdrawn downloads of its rootkit detector that uses the driver – after the code appeared to game Redmond's QA tests. Late last week, Trend removed downloads of its Rootkit Buster from its website. And last night it emerged the kernel-level …

  1. knandras

    Maybe a programmer of theirs took liberties to meet deadlines. And it flew through reviews, and management knows nothing. ;)

    1. Anonymous Coward
      Anonymous Coward

      "Took liberties"

      Well, if that did happen and it was not caught, that wouldn't give you much confidence that their code was secure or able to detect attacks.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Took liberties"

        In an ideal world all code would be peer reviewed. In the real world with understaffing and/or outsourcing, deadlines and pointy heads who wouldnt know one end of a linked list from another, it rarely is. Certainly not at the level of scrutiny that would spot a hack like this.

        1. Huw Leonard

          Re: "Took liberties"

          For a security product, though? Frankly, I'm not sure which would be worse, that they're that lax or that they did it on purpose.

    2. Pascal Monett Silver badge

      Ah yes, the ol' rogue engineer excuse.

      1. HildyJ Silver badge

        Next on the list is the hacker defense.

  2. T. F. M. Reader

    Dieselgate 2.0?

    [Comment is optional]

    1. Steve Graham

      Re: Dieselgate 2.0?

      At least VW's cheat software had to try a bit. The cars don't have a registry entry that says "We are now performing a test."

      1. Anonymous Coward
        Anonymous Coward

        Re: Dieselgate 2.0?

        Well, they probably detects when maintenance cables are plugged in.

      2. Anonymous Coward
        Anonymous Coward

        Re: Dieselgate 2.0?

        That reg key probably isn't one of the smartest ideas MS has ever had. The whole point of a verification test is that the environment is as per a live setup. You dont let the systems under test know they're under test!

  3. lglethal Silver badge

    Hanlon's Razor does not apply today...

    Normally, I would pull out the old Hanlon's Razor "Never attribute to malice that which is adequately explained by stupidity". BUT this is definitely not something slipped in by accident. You dont put a check for something that then defines further behaviour by accident - a) because its more lines of code that you really dont need if you were doing things above board, and b) who needs the hassle of then spending the time to test that works under two different behaviour scenarios.

    This was put in deliberately. The question is why?

    1. Malcolm 5

      Re: Hanlon's Razor does not apply today...

      I wonder if there is any possibility this part of the code was bought in and hence not written by the trend micro team (and not audited, ugh)?

      1. Warm Braw Silver badge

        Re: Hanlon's Razor does not apply today...

        This is supposedly the product of an expert security company.

        1. Pascal Monett Silver badge

          Oh they're experts all right. Just not for your security.

        2. Anonymous Coward
          Anonymous Coward

          Re: Hanlon's Razor does not apply today...

          Given how incompetently their email filter system works I’m not sure they fit that description.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hanlon's Razor does not apply today...

      Trend have performed poorly in independent testing over the last 18 months or so. I would bet this is an extension of that since they've been reluctant to allow independent testing of their software being widely published since they started to perform poorly

    3. Shadow Systems

      Re: Hanlon's Razor does not apply today...

      I prefer Occam's Razors for that closer shave. =-)p

    4. Roland6 Silver badge

      Re: Hanlon's Razor does not apply today...

      >This was put in deliberately. The question is why?

      I can understand that the original driver could have been written to use the executable non-paged pool and thus be in need of revision to use the non-executable non-paged pool.

      But then having revised and tested the code there would be no need to maintain continued support for both memory pool models - necessary because it seems the driver can happily run with either memory pools.

      The only possible reason is to do with compatibility with pre-Win10 systems, but then why have an intelligent runtime switch and not an install time switch.

      I wonder if Trend will tell MS why their driver was implemented the way it was...

      1. Psmo

        Re: Hanlon's Razor does not apply today...

        My first thought too. Trend Micro have been around long enough to predate the requirements, and they wouldn't rewrite more than was necessary.

    5. teknopaul Silver badge

      Re: Hanlon's Razor does not apply today...

      re: The question is why?

      My theory is that they are trying to bypass the check so they can dynamically load changes without paying Microsoft the fees charged to resign driver changes.

      I thought at first Microsoft would side with Trend, Trend is paying them money.

      The fact that Microsoft has not tells us something about the why.

  4. Irongut Silver badge

    > "at no time was the Trend Micro team avoiding certification requirements."

    Well then who wrote that code? The code is definitely there and someone had to write it so Trend's statement implies hackers are changing their code without their knowledge - an even worse situation than trying to fool certification tests!

    1. Jason Bloomberg

      I will believe them when they can provide some credible and convincing explanation as to why it was there, why the software only changed its behaviour to what it should have been when the software recognised it was being tested.

      I'm not holding my breath but I've put £5 on a long-shot of the excuse being 'safeguarding a child'.

      1. Noel Morgan

        Maybe that code was written as a way of confirming the developers eyesight was OK, before he/she wrote something a bit longer?

    2. Craig 2

      "The code is definitely there and someone had to write it"

      Absolutely. It looks like the code literally reads as "Is certification testing active?" If so, pretend everything is ok, otherwise carry on....

      It's a bit like customer phone support when the boss is/isn't standing next to you.... :)

  5. don't you hate it when you lose your account Silver badge

    Kettle calling

    As if MS would never do this. Bit like being fine with sexism while being appalled at racism.

    1. don't you hate it when you lose your account Silver badge


      A down vote storm, with so many I would expect at least someone to post a reply. If the point was missed I was highlighting MS hypocrisy, have they never pulled a fast one in software (answers on a toilet roll please). If the point wasn't missed then do they agree it's OK to diminish/hate individuals simply because they were born in some way different from them (answers in crayon please). Timely rush of opinion considering what is happening right now in US.

      1. don't you hate it when you lose your account Silver badge

        Re: Interesting

        I'll take that down vote as a badge of honour :)

  6. Pascal Monett Silver badge

    "It is not clear why Trend's software does this"

    I don't care if it's clear or not, it should not be done, period.

    Good on Borkzilla for reacting on this and pulling the driver. Now Trend is going to have to submit another one, and I'll bet it will get a lot more scrutiny the next time around.

    A reputation takes years to build, but only a day to trash. Trend Micro has now trashed its reputation.

    1. Naselus

      Re: "It is not clear why Trend's software does this"

      In fairness, pretty sure the last 2 years or so of Trend's software releases had already trashed their reputation. Every decent security team I know of have regarded Trend as something of a bad joke for at least 18 months.

  7. Boothy Silver badge

    Perhaps update the certification requirements

    Is there a valid reason for a driver to ever look at VerifierCodeCheckFlagOn()?

    If not, then I'd suggest MS update their certification requirements to include a statement along the lines of "Your drive must not access VerifierCodeCheckFlagOn() at any time", and then update the testing to include a scan of the code for any references to VerifierCodeCheckFlagOn() and automatically fail the driver if found.

    1. Paul Herber Silver badge

      Re: Perhaps update the certification requirements

      How is it even possible for code to see whether the verifier code is running?

      1. EveryTime

        Re: Perhaps update the certification requirements

        There are legitimate reasons for checking if you are running under validation, just as there are reasons to check if you are running in a virtual machine.

        But both types of checks should expect strict scrutiny.

        As for getting rid of a way to check: no, that shouldn't be done. Because there *might* be legitimate reasons, established the proper way to check and audit code that checks. If you find code that uses a different way to check, hit it with the over-size ban hammer.

        1. DryBones

          Re: Perhaps update the certification requirements

          Such as? Seriously, this kind of assertion needs some concrete examples.

    2. bombastic bob Silver badge

      Re: Perhaps update the certification requirements

      I can't agree with MS's "driver cert" requirement at ALL. The certification "through MS only for a fee" is JUST WRONG and indirectly harms open source drivers. That being said, writing software that deliberately alters itself to pass a test shouldn't be done, either (right VW?).

  8. John H Woods Silver badge

    At no time ...

    ... that's a pretty sneaky way of saying "at t=0..."

  9. Anonymous Coward
    Anonymous Coward

    Got an update today

    My office Lenovo laptop had to be restarted today for a Trend update.

    It seems to have fixed the Intel graphics driver crashing almost immediately every boot, which crippled OpenGL acceleration and has been happening for months.

    I wonder if crash telemetry from people like me caused MS to detect this memory abuse.

    1. Roland6 Silver badge

      Re: Got an update today

      >I wonder if crash telemetry from people like me caused MS to detect this memory abuse.

      Well given the timing of the public diclosure from a third-party and the subsequent action taken by MS, I suggest not.

      Although, thanks to the third-party, it would not surprise me if MS can now make sense of some the crashdumps it received.

  10. adam payne

    Trend Micro must be held accountable for their extremely questionable code.

    Of course they need to be held accountable for this. I can't see any other reason to design it in that way.

  11. DrXym Silver badge

    Trend Micro

    We have to suffer this software and I swear the antivirus software has caused us more problems than any virus ever has. It slows down every file operation, it randomly locks files (causing builds to fail for no reason) and it has false positives that kill software we're trying to test.

    1. cosymart

      Re: Trend Micro

      Presume you work for a company that goes for cheap rather than effective :-(

      1. Anonymous Coward
        Anonymous Coward

        Re: Trend Micro

        More likely managements lack any development experience and IT services are out sourced.

        Previous place of work I arranged with IT services department to exclude build directories from virus scanning. When nightly builds finished they were scanned automatically by two sets of antivirus software.

        When IT services were out sourced it all went to pot.

    2. Naselus

      Re: Trend Micro

      You forgot to mention that it has a pretty abysmal hit rate for a supposedly enterprise-grade AV product, too.

  12. pjcard


    Your previous article referred to MysteriousCheck() as being the suspect function but you updated that to VerifierCodeCheckFlagOn() without mentioning it in the update text. Why is that? It makes it look like you're trying to hide something, but more so is confusing to anyone who read the original article.

  13. itsastickup

    A State-level infilitration opening up hacking possibilities. A sufficiently strategic mind would think of this kind of thing. It just requires blackmailing one employee.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021