Security research firm Matousec has published details of a technique for bypassing some of the protections offered by widely used Windows security software, including programs from McAfee and Trend Micro.
However, the attack has serious limitations, including the requirement that the attacker must already have the ability to execute code on a system, Matousec acknowledged. That means the method would have to be used in combination with another attack vector, or employed by an attacker with local access to a system.
The method, called an argument-switch attack, can be used against Windows security programs that use a technique called System Service Descriptor Table (SSDT) hooking. All of the 35 applications tested by Matousec featured this technique, including products from BitDefender, F-Secure, Kaspersky, and Sophos, as well as McAfee and Trend Micro.
By Matthew Broersma