Microsoft Security Essentials (MSE), the software giant's free antimalware solution, is one of the few products that is not affected by the recently rediscovered method for disabling security software on Windows
. MSE does not use SSDT hooks, so its real-time protection cannot be disabled via this method.
When the report was first published, we noticed that MSE was not on the list of affected products and contacted Microsoft for clarification. "Microsoft is aware of research published by Matousec and we are investigating the issue," a Microsoft spokesperson told Ars. "Based on available information, we do not believe our products are affected due to the design of our real-time protection. We are working to confirm this."
Microsoft said someone would get back to us, but we figured it would be quicker to go straight to the source. "As we assumed, MSE does not implement any hooks and hence it can not be attacked by KHOBE technique," a Matousec spokesperson told Ars. "It might be confusing when you read various media comments on KHOBE research that mention that all antivirus products are vulnerable, but they miss the most important thing, which is that only software that implements hooking can be vulnerable. Only some antivirus products implement hooks but many antivirus products do not use hooks at all. The major group of software that is affected are not antivirus products but HIPS [Host Intrusion Prevention System] software, behavior blockers, various Internet Security Suites with host protection features etc." Update: “Microsoft has worked directly with Matousec to confirm that Microsoft Security Essentials and Forefront Client Security products are not affected by their KHOBE research due to the design of our real-time protection,” a Microsoft spokesperson eventually followed up with.