Researchers bypass Windows Defender scan via own SMB server

Security firm CyberArk has published an attack called Illusion Gap. By setting up your own smb server and having a target open a hosted file, a scan by Windows Defender can be bypassed. Microsoft does not see this as a security issue.

CyberArk reports that the method works because Windows Defender itself retrieves a copy of the file from the smb server. By using a custom smb server, it is possible to pass the malicious version of the file to the Windows loader and deliver the clean version to Defender as soon as the target opens the file. The SMB server can distinguish between the two requests through a filter, the researchers write. That way, the malicious version will run and no detection will take place.

An attacker must therefore be able to set up such an SMB server in order to use the method. The researchers say that other antivirus products may also be susceptible to this attack, but provide no evidence. They reported their findings to Microsoft, which responded, “Based on the report, a successful attack requires a user to run content from an untrusted smb share on a custom server that can modify its behavior based on access patterns. This does not appear to be a security issue, but a feature request, which has been forwarded to the engineering department.”

The company gives a more detailed explanation to The Register, saying that the attack has “limited practical use”. Once the attacker gets the target to perform all the steps, Windows Defender would detect further follow-up actions, Microsoft said. In addition, Windows would show various warnings. CyberArk says the technique works on Windows 10 and 8.1, and is of interest to advanced attackers.

Operation of the smb server according to CyberArk