Reply to post: Re: The revelation...

Microsoft downplays alarm over Windows Defender 'flaw'

Anonymous Coward
Anonymous Coward

Re: The revelation...

My guess is that even if it hooks CreateProcess(), it will later use file functions separately to open and read the file. If you can spot who is asking to read the file, and pass different data. it will work.

Otherwise the data loaded by CreateProcess() should be first sent to the AV - but CreateProcess() may not read the whole file - i.e. resources may be loaded on-demand by application code, thereby an antimalware solution may need to read the file separately anyway.

Of course it's much easier to perform the trick on SMB than locally (you would have rootkitted the local machine already to perform that).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019