During our research, CyberArk Labs encountered a strange behavior in the file scanning process of Windows Defender. This problem may possibly exist in other anti-viruses, which we have not yet tested.
This behavior led us to investigate the Antivirus scanning process over SMB shares and the outcome is a surprising cause for concern.
Now you see me, no… you don’t (tl;dr).
Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; the folks at Microsoft Security Response Center (MSRC) think there should be a feature request to handle this situation. We will get to this, let’s start by understanding how this is possible. To be clear, the techniques presented in this blog allow any known malware to bypass Windows Defender and possibly other Antiviruses.
When you run an executable, most Antiviruses will catch the operation by a kernel callback (nt!PspCallProcessNotifyRoutines and nt!PsCallImageNotifyRoutines) and then scan the file, most commonly by requesting its user-mode agent using to do so, using ioctls/fastio/sharedmem/APC/etc.
Once an executable file is already present on disk, the Antivirus will not scan it on process creation since it already scanned it on file creation. However, running an executable from a SMB share requires the Antivirus to scan the file even on process creation.
In this blog post, we will walk through several ways to bypass Windows Defender. We are going to achieve this goal by implementing our own SMB server...
