A new technique that makes use of Server Message Block (SMB) servers to circumvent malware scans from Windows Defender has been discovered, potentially raising the risk of unwanted software to discreetly be installed on systems.
According to cybersecurity firm CyberArk, the exploit, dubbed as 'Illusion Gap,' exploits a step in the file scanning process of Windows Defender in SMB shares. It starts by the attacker convincing a user to execute a file in a malicious SMB server under their control. When this is done, Windows will typically ask for two copies of the executable; first to launch the program and create a process for it, and second for Windows Defender, which it scans for malicious content.
This is where the problem comes in. Since SMB servers can distinguish between the two requests, attackers can take advantage of this and configure it to send two completely different files. This means that the Windows PE loader can receive a malicious file, but the one sent to Windows Defender can be clean. And with this in consideration, since the antivirus program detected a safe file, Windows PE will now proceed with the execution of the program. Obviously, this bypass technique could lead to more exploits in the future.
CyberArk forwarded the issue to Microsoft, which did not see any area of concern:
Thanks for your email. Based on your report, successful attack requires a user to run/trust content from an untrusted SMB share backed by a custom server that can change its behavior depending on the access pattern. This doesn’t seem to be a security issue but a feature request which I have forwarded to the engineering group.
Thanks again for reporting security issues to Microsoft responsibly and we appreciate your effort in doing so.
"It’s Windows Defenders job to scan and find malicious files – this vulnerability allows malicious files to bypass it, so it’s not doing its job," according to Kobi Ben Naim, CyberArk's Senior Director of Cyber Research in an email with BleepingComputer. "Other than installing additional AV or endpoint scanning software along with Windows Defender, there isn’t much an organization can do to mitigate this specific vulnerability."
CyberArk, however, points out that the problem might also exist in other antivirus solutions. This area has not been explored yet by the firm.
All things considered, it is always best to be careful of the files we open or programs we execute, as these potentially contain malicious code that can pose problems for our PCs. Doing this alone could already go a long way, no matter the antivirus program installed.