Eugene Kogan and Tal Liberman, two researchers at enSilo, a security firm based in San Francisco, said Process Doppelganging abuses NTFS mechanisms to silently sneak malware into a Windows system without leaving a trace. (NTFS has been the default file system for all versions of Windows since 2001.) Kogan and Liberman explained that the attack replaces code in an open file, creates a malicious process out of the altered code, then reverts the original file to its previous state so that nothing is ever written to disk. The researchers didn’t describe exactly how they did this, but told Bleeping Computer that the attack “cannot be patched since it exploits fundamental features and the core design of the process-loading mechanism in Windows.” The Process Doppelganging attack “is not a vulnerability, but an evasion technique,” Liberman said to ZDNet. “We did submit a description of the technique to Microsoft and as they, too, do not deem it to be a vulnerability, they will not address it.” MORE: Best Antivirus Software The pair said they’d tested the Process Doppelganging attack against several top antivirus brands, including Kaspersky, Bitdefender, ESET, Symantec and McAfee, and it had successfully evade each one. However, they specified that Kaspersky, Symantec and McAfee failed to detect Process Doppelgänging on Windows 7, which may imply that those brands did catch it on the generally more secure Windows 10. One product that apparently does protect against the attack, naturally, is enSilo’s own “next-generation” antivirus solution, available to its corporate customers. On the upside, Kogan and Liberman said the Process Doppelganging attack is pretty hard to pull off. “There are a lot of technical challenges,” they told Bleeping Computer, and the attack uses “a lot of undocumented details on process creation.” In an enSilo press release, Liberman said that the Process Doppelgänging attack requires “intimate knowledge of the inner workings of AVs’ file-scanning engines.” Like many firm selling their “next-gen” antivirus products to enterprise clients, enSilo aims to demonstrate the failings of “traditional” antivirus software. In February 2016, two other enSilo researchers showed how malware could attack a Windows machine by abusing the “hooks” that regular antivirus products create to monitor applications and system processes. Image credit: Petr Malyshev/Shutterstock
Windows 10 Security and Networking
Previous TipNext Tip
Use the Windows 10 Parental ControlsFind Your MAC AddressTurn Your Windows PC into a Wi-Fi HotspotPassword Protect a FolderCreate a Guest Account in Windows 10Enable Windows Hello Fingerprint LoginSet Up Windows Hello Facial RecognitionHow to Restrict Cortana’s Ever-Present Listening in Windows 10Automatically Lock Your PC with Dynamic LockBlacklist Non-Windows Store AppsFind Saved Wi-Fi PasswordsSet Up a Metered Internet ConnectionUse Find My DeviceStream XBox One GamesAll Windows 10 TipsMap a Network DriveCreate Limited User AccountsSet Time Limits for KidsPin People to Your Taskbar