Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Illusion Gap bypass in Windows Defender

28 Sep 2017   #1

64-bit Windows 10 Pro
Illusion Gap bypass in Windows Defender


During our research, CyberArk Labs encountered a strange behavior in the file scanning process of Windows Defender. This problem may possibly exist in other anti-viruses, which we have not yet tested.

This behavior led us to investigate the Antivirus scanning process over SMB shares and the outcome is a surprising cause for concern.

Now you see me, no… you don’t (tl;dr).

Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; the folks at Microsoft Security Response Center (MSRC) think there should be a feature request to handle this situation. We will get to this, let’s start by understanding how this is possible. To be clear, the techniques presented in this blog allow any known malware to bypass Windows Defender and possibly other Antiviruses.

When you run an executable, most Antiviruses will catch the operation by a kernel callback (nt!PspCallProcessNotifyRoutines and nt!PsCallImageNotifyRoutines) and then scan the file, most commonly by requesting its user-mode agent using to do so, using ioctls/fastio/sharedmem/APC/etc.

Once an executable file is already present on disk, the Antivirus will not scan it on process creation since it already scanned it on file creation. However, running an executable from a SMB share requires the Antivirus to scan the file even on process creation.

In this blog post, we will walk through several ways to bypass Windows Defender. We are going to achieve this goal by implementing our own SMB server...

Read more: Illusion Gap - Antivirus Bypass Part 1 - CyberArk

My System SpecsSystem Spec

 Illusion Gap bypass in Windows Defender

Thread Tools

Similar help and support threads
Thread Forum
Security Defender / Defender Pro 2015 Virus/Trojan ?
Hello, Looked for a "Virus" sub-forum, but don't see any. So will post here, please. Last night, a horrible experience. Apparently some virus software organization put on PC something that takes over, completely and literally. Called Security Defender and Defender Pro 2015
System Security
how to bypass password windows
hi i have windows vista and don't remember my password,now i want access to my data and i wan't, do a software is that be can recovery or remove password windows?
General Discussion
Logon bypass in Windows 7 Ultimate
Is there a way to bypass the logon in Windows 7 Ultimate? thank you
General Discussion
Filename extension illusion
The filename below was recieved in a malicious email. It appears to have a .jpg extension but windows will run it as an application. The trick appears to be using left to right then right to left characters so the last 7 characters are "jpg.exe" backwards. I suspect this will dupe a lot of windows...
General Discussion
Spinning Girl Illusion
Ok everyone, I don't know how many of you have ever checked out this site before but I would like to do a poll on the spinning girl illusion they have on there. I see her spin counter clockwise and my wife and 2 daughters have me wondering if I am crazy. So if you all will do this for fun lets...
Chillout Room

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:17.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App