Citizens First Cyber Security Professionals




Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.

Connect via Facebook

Connect via Facebook

Member Poll

There are no polls defined.


You must login to post a message.

02-12-2017 12:08
Yo' Citizens, How you doing today. Todays Lesson plans & post will consist of, How to give spammers a taste of their own medicine! Cool

20-10-2017 11:38
Yo' Citizens, As per your request. A new forum section, 'Suspicious IP Addresses' will be completed today! Cool

20-10-2017 11:30
Yo' Good Morning Citizens. I hope that you are all having a great and cyber-secure day! Grin

09-10-2017 11:10
Yo' Good Morning Citizens! Wink I hope that you had a cyber-secure weekend! Grin

03-10-2017 10:44
Yo' Citizens, good morning. I have some pretty serious vulnerabilities to share with you, today. I will have them up shortly! Cool

Welcome Citizens

Welcome to, Citizens First Cyber Security Professionals.

The Individual Citizen Specific, Cyber Security Investigative Services Firm. Cyber Security Web Forum and Educational Cyber Security Dojo.

Geared strictly to helping Individual Citizens and Small Businesses! Address unwanted cyber security intrusions and hacking incidents!

Windows Defender No Help Against 'Illusion Gap' Bypassed Easily - Via CyberArk

WindowsYo' Greetings Citizens,

Windows Defender No Help Against 'Illusion Gap' Bypassed Easily - Via CyberArk


During our research, CyberArk Labs encountered a strange behavior in the file scanning process of Windows Defender. This problem may possibly exist in other anti-viruses, which we have not yet tested.

This behavior led us to investigate the Antivirus scanning process over SMB shares and the outcome is a surprising cause for concern.

Now you see me, no… you don’t (tl;dr).

Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; the folks at Microsoft Security Response Center (MSRC) think there should be a feature request to handle this situation. We will get to this, let’s start by understanding how this is possible. To be clear, the techniques presented in this blog allow any known malware to bypass Windows Defender and possibly other Antiviruses.

When you run an executable, most Antiviruses will catch the operation by a kernel callback (nt!PspCallProcessNotifyRoutines and nt!PsCallImageNotifyRoutines) and then scan the file, most commonly by requesting its user-mode agent using to do so, using ioctls/fastio/sharedmem/APC/etc.

Once an executable file is already present on disk, the Antivirus will not scan it on process creation since it already scanned it on file creation. However, running an executable from a SMB share requires the Antivirus to scan the file even on process creation.

In this blog post, we will walk through several ways to bypass Windows Defender. We are going to achieve this goal by implementing our own SMB server.

Our testing tools

As mentioned above, one of our attack vectors is to fool the Antivirus to scan a different file than the one actually executing. Before jumping into the technical details, let’s see how Windows Defender or any other windows process will go about and access a file in an SMB server, and then we’ll differentiate Antivirus access from regular access. Since we will be running as the SMB server itself, once we identified whether the request originated from an Antivirus or a different process, we’ll serve a malicious or a benign file respectively. In order to examine our attempts to fool the Antivirus, we wrote a simple filter driver that enables us to inspect the file that was actually served to the target machine running the Antivirus. For simplicity ‘s sake, our driver will check 3 bytes of the DOS-Stub message (‘run’ string which is at offset 0x65), which are usually identical in any PE. We will test our method by serving the Antivirus a file with modified 3 bytes at 0x65 and verifying this modification in our filter driver. The malicious file remains untouched (and contains “run” like a normal PE file), and the legitimate file is changed to something else so we can differentiate between them. Let’s register a filter driver with this function to the post operation of IRP_MJ_READ:

*NOTE: The driver is NOT necessary for the attack to succeed and was only used to help the verification process...++..

Bypassing Windows Defender

Let’s begin with the first attack vector. We want to serve different files, one for Windows PE Loader and another for the Windows Defender Antivirus over SMB. We can achieve that using a custom implemented SMB server. When a process creation is made by Windows PE Loader, a request will be made to the SMB server for the executable file, and we will serve file A, which is malicious. When Windows Defender requests the executed file, we will serve file B, which is benign. This way, file B will be scanned while file A will be executed. But at first, we have to identify which request is made by whom...++...

Please See Examples, Videos, and Read The Full Story here:

Thank You For Your Time, Citizens. I hope that you have a great and cyber-secure day!

Thank You Citizen,
The Administration


No Comments have been Posted.

Post Comment

Please Login to Post a Comment.


Rating is available to Members only.

Please login or register to vote.

No Ratings have been Posted.
top image scrolling tools
Render time: 0.05 seconds
256,195 unique visits