Windows 7: Microsoft: MSE safe from Windows kernel hook attack

Microsoft Security Essentials (MSE), the software giant's free antimalware solution, is one of the few products that is not affected by the recently rediscovered method for disabling security software on Windows. MSE does not use SSDT hooks, so its real-time protection cannot be disabled via this method.

When the report was first published, we noticed that MSE was not on the list of affected products and contacted Microsoft for clarification. "Microsoft is aware of research published by Matousec and we are investigating the issue," a Microsoft spokesperson told Ars. "Based on available information, we do not believe our products are affected due to the design of our real-time protection. We are working to confirm this."

Microsoft said someone would get back to us, but we figured it would be quicker to go straight to the source. "As we assumed, MSE does not implement any hooks and hence it can not be attacked by KHOBE technique," a Matousec spokesperson told Ars. "It might be confusing when you read various media comments on KHOBE research that mention that all antivirus products are vulnerable, but they miss the most important thing, which is that only software that implements hooking can be vulnerable. Only some antivirus products implement hooks but many antivirus products do not use hooks at all. The major group of software that is affected are not antivirus products but HIPS [Host Intrusion Prevention System] software, behavior blockers, various Internet Security Suites with host protection features etc." Update: “Microsoft has worked directly with Matousec to confirm that Microsoft Security Essentials and Forefront Client Security products are not affected by their KHOBE research due to the design of our real-time protection,” a Microsoft spokesperson eventually followed up with.

The article and problem in question is quite old. The problem outlined there is known for literally centuries (Time-of-check-to-time-of-use - Wikipedia, the free encyclopedia). So there is nothing new about it. Just a security "researcher" that wants his 15 minutes of fame.

In addition AVs are far from being "circumwented". Since the main defense line for AVs is still on-access scanning which isn't fooled by this kind of race condition. In addition every software that uses the filter manager capabilities implemented in the Windows kernel won't be affected by this as well.

So there is much fuzz around a possible security problem that is documented for 20+ years that can only effectively be used against some HIPS and firewall products and only if it happens to work the first time it is tried (which is extremely rare).