On June 20th 2019 Threat researchers from McAfee published information detailing an issue with certain Windows APIs that in a post-exploitation scenario could allow attackers to create malicious files that aren’t detected by anti-virus software even if a detection has been created for them. This technique does not affect ‘NextGen’ security products such as Sophos Intercept X, Sophos Exploit Prevention or technology included in Sophos Endpoint protection such as runtime behavioral analysis (HIPS) and memory scans.
The technique only affects the ability to find and remediate malicious process running in memory after its file on disk was detected and cleaned. The full remediation will require a reboot or manually ending (killing) the process in Task Manager.
It is important to note that this is a hypothetical attack and no malware in the wild has been seen using this technique yet. Additionally, for this to be used by an attacker they would have to compromise the machine first, for example a malicious file would have to have been executed on the machine before it could later then use this technique, so in most scenarios the attack would be prevented before it could get to this stage.
Sophos is investigating this issue and will update protection where necessary, this article will be updated when new information becomes available.
For more information on Process Reimaging please see: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
The following sections are covered:
Windows 7, 8 and 10
As with all threats the best protection is to ensure the following:
- All your computers have anti-virus software installed and working correctly
- They are using the latest versions of the anti-virus software
- You are following best practice recommendations for the policy configuration
This will dramatically decrease the chance of a computer becoming compromised.
Specifically, to help prevent this technique being used ensure the following protection is enabled:
Computers managed by Sophos Central
In the Endpoint Protection > Policies > Threat Protection policies > Settings
Make sure Detect malicious behavior (HIPS) is enabled.
Computers managed by Sophos Enterprise Console
In the Anti-virus and HIPS policies make sure Enable behavior monitoring is selected.
Also in the Anti-Virus and HIPS policy select the ‘Settings’ button next to ‘Enable on-access scanning’ and ensure Scan system memory is selected.
If an already compromised computer has been affected by malware using this technique, please take the following steps:
- Run a full scan of the computer, this can be done right away or via a scheduled scan.
- Reboot the computer.
For further advice on how to check computers are up to date and following best practice settings, please see the links in the related information section below.
- Sophos products: How to check if the product is up to date
- Sophos Central Endpoint: Recommended threat protection policy settings
- Sophos Enterprise Console and Sophos Endpoint: Recommended settings for Anti-Virus and HIPS
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.