Microsoft-Defender is a Microsoft product.
According to a recent cybersecurity report, major anti-malware programs can be tricked into removing files from Windows. Or Yair, a researcher at SafeBreach, has published a proof-of-concept that shows how security tools can be tricked and deleted harmless files from the operating system.
The PoC is known as “Aikido”, and Microsoft has confirmed that it is open to the vulnerability. The flaw was fixed with a patch. The martial art that relies on using opponents’ moves against them was called the attack Aikido.
It’s a good name because the PoC takes the tools of anti-malware software and tricks them into thinking it’s real. Major anti-viruses like AVG, Trend Micro, and Avast were vulnerable, as were other vendors.
Yair says that Aikido uses a time-of-check to time-of-use vulnerability. The anti-viruses program will destroy a file if it is found to be malicious. The PoC uses a TOCOTU to add a different path after the first detection to get to a legitimate file.
The attack method is used.
A malicious file at C:tempWindowsSystem32driversndis.sys would be used to start the attack. Next, the TOCTOU would hold the handle and force the program to hold off on the file deletions. The C:temp directory would be deleted and the junction C: would be created. The scheduled deletion would happen to the new junction instead of the malicious file.
The Defender for Endpoint acts differently than the regular Microsoft defender did. The whole folder will be deleted. The issue is acknowledged by Microsoft and they give it an ID.
There is a patch for the Microsoft Malware Protection Engine version 1.1.19700.2.
The available networks list can become quite annoying if there are many reachable wireless access points popping up and disappearing again. You can use the allowed and blocked list of the Windows to block certain networks.
