Earlier this week, researchers claimed to have developed a way to bypass the protection mechanisms used in many popular anti-virus software applications. The code works, according to The Register, by “sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.”
The researchers claim that each anti-virus product tested failed.
“We have performed tests with [most of] today’s Windows desktop security products,” the researchers wrote. “The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable.”
However, Mikko Hyponnen, a researcher with F-Secure, a security company, claims that the attack vector is not as effective as the researchers claim.
“This is a serious issue and Matousec’s technical findings are correct,” he writes on F-Secure’s blog. “However, this attack does not “break” all antivirus systems forever. Far from it.”
Instead, it only applies to new malware that has not been categorized and indexed yet. Also, many security providers (and IT professionals) actually use a “defense in depth” model of security.
“To protect our customers against such unknown malware, we have several layers of sensors and generic detection engines. Matousec’s discovery is able to bypass only a few of these sensors,” Hyponnen writes. “In a nutshell: We believe in defense in depth.”