Ways Antivirus companies could prevent a false positive catastrophe

By +Warwagon
in General Discussion

 Share

Recommended Posts

Grand Master

Mr. Gibs

Posted
Posted

I stated system files, and that includes DLLs and EXEs, though not all of them. I'm not sure what kind of point you're trying to make. Should I have comprehensively stated "files that are essential to the system as well as files that are often attacked" to satisfy you.

You stated "all system files", I was just pointing out that not all system files are signed. That's it.

There's a difference between all system files and system files.

You can, but programmatically taking ownership of files that are owned by TrustedInstaller is not made easy. This would at the very least require Administrator privileges. If a virus gains Administrator privilege, then you have a problem.

Well of course, I never claimed it's an easy thing to do but its definitely possible. And as a slight off topic, that's not exactly difficult nowadays to get administrator privileges.

The average user isn't going to care about a UAC dialog that pops up, they're going to click ok regardless of however many many times you try to teach them not to. But there's really nothing Microsoft and anybody can do about it...the weakest link is always the user.

Link to comment
Share on other sites
Enthusiast

Newinko

Posted
Posted

Um no they don't.

You can easily disable driver signature verification and secure boot is also easily disabled in the BIOS. MS wanted to make it impossible to disable secure boot and boot Windows but users started complaining that they're trying to lock out linux and so MS caved.

Disabling driver signature verification requires:

1- Restarting the computer and pressing a very specific key combination (impossible to achieve programmatically)

2- Installing the driver and bypassing the Windows warning about installing an unsigned driver

3- It's a one-trick pony: driver signature verification will be re-enabled next time Windows reboots.

 

If Secure Boot is enabled, programmatically disabling it in the BIOS is very hard to do. There is no reason for Secure Boot not to be enabled for the vast majority of consumers that only run Microsoft Windows on their computer.

 

Once again, what's your point? If you open all doors and all windows (no pun intended), evidently your apartment will get robbed. You'd have to be pretty good at social engineering to convince a user to restart his computer, go in the BIOS to disable Secure Boot, then choose "Advanced startup options," then install a malicious driver.

  • Ian W and Romero
  • Like 2
Link to comment
Share on other sites
Grand Master

Mr. Gibs

Posted
Posted

Disabling driver signature verification requires to:

1- Restart the computer and pressing a very specific key combination (impossible to achieve programmatically)

2- Installing the driver and bypassing the Windows warning about installing an unsigned driver

3- It's a one-trick pony: driver signature verification will be re-enabled next time it reboots.

Sorry I edited my original post.

That only applies to Windows 8. With Windows 7 (and admin privileges which yet again isn't difficult to obtain because the user is the weakest point) you can disable it via command prompt.

 

There are also other ways around driver signature verification. You can modify the driver and as long as it is signed Windows will allow it to install just with a warning that the driver was from an unknown source and ask if you want to proceed. Another way around it is just to buy your own certificate, you can get them for under $200 a year. The driver signing requirement is at best a very poor protection and really one that causes more annoyances than protection.

Link to comment
Share on other sites
Enthusiast

Newinko

Posted
Posted

Obtaining a certificate is not as trivial as you make it out to be, otherwise the Windows platform would be flooded with malicious drivers. There was one event (with Realtek if I remember correctly) where a legitimate signature has been compromised. This is very rare. You also fail to point out that if a certificate is found to be used to install viruses, it will be revoked by the issuing authority. On 64-bit systems, driver security has been tightened and as a result 64-bit rootkits are rare. Driver signature helps mitigate rootkit attacks and improves system security. It might annoy tinkerers but there is very little reason to install an unsigned driver on your Windows computer.

 

But we're losing sight of the point, which is how built-in Windows features help anti-virus programs. Windows signs system files, which an anti-virus can check. If a program requests ownership changes to TrustedInstaller files, the anti-virus has a red flag right there. The point is to reduce the area of attack: in both attack cases (a virus targeting WRP-protected files or signed files), any decent anti-virus will easily detect and stop the virus in its tracks. Under Windows XP, with no signature and no TrustedInstaller token, securing those area of attacks was harder.

Link to comment
Share on other sites
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

But we're losing sight of the point, which is how built-in Windows features help anti-virus programs. Windows signs system files, which an anti-virus can check. If a program requests ownership changes to TrustedInstaller files, the anti-virus has a red flag right there. The point is to reduce the area of attack: in both attack cases (a virus targeting WRP-protected files or signed files), any decent anti-virus will easily detect and stop the virus in its tracks. Under Windows XP, with no signature and no TrustedInstaller token, securing those area of attacks was harder.

 

It would be nice to have a list of AV's which have this sort of features and the ones that don't. At least ones that compare modified and unmodified certificates.

Link to comment
Share on other sites
Enthusiast

Newinko

Posted
Posted

It would be nice to have a list of AV's which have this sort of features and the ones that don't. At least ones that compare modified and unmodified certificates.

It would be a good selling point, if a bit hard to explain to the consumer. At the very least a good antivirus product should rely on signatures to check if system files are valid...

Link to comment
Share on other sites
Mentor

Digitalfox

Posted
Posted

It would be a good selling point, if a bit hard to explain to the consumer. At the very least a good antivirus product should rely on signatures to check if system files are valid...

 

Does MSE do it?

 

 

PS: On another PC, can't check the signed file details tab and respond to previous post.

Link to comment
Share on other sites
Enthusiast

Newinko

Posted
Posted

Does MSE do it?

 

 

PS: On another PC, can't check the signed file details tab and respond to previous post.

That's a very good question. I have no idea. You'd have to try and replace a signed file by a tampered file and see if MSE flares up...

Link to comment
Share on other sites
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

Does MSE do it?

 

 

PS: On another PC, can't check the signed file details tab and respond to previous post.

 

I just edited explorer.exe in a hex editor and changed a 27 to a 28

 

So in the example below, if Panda (or any other AV) got the signal from a definition file to nuke explorer.exe from orbit... it should first check to see if the digital signature is valid first. If it is, cancel the nuclear launch. Then Phone the president and say ..what are you guys smoking over there.

post-4927-0-95100000-1426209384.jpg

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.