Anti-Tampering and Detection Evasion – Bitdefender TechZone (2024)

The password feature ensures users are required to enter a password to uninstall the security agent, even if they have local administrator rights. For maximum security, it is crucial to configure an uninstallation password and use a strong one. This password should be known only by security administrators. If a user knows the password or if no password was set, he can uninstall endpoint protection from his computer. A weak or missing password significantly weakens your endpoint security by allowing attackers to manipulate security settings and compromise your system potentially.

The Power User module grants administrator rights to users at the endpoint level, enabling them to access and modify specific security settings through a local CLI console. With the Power User module, users can easily manage endpoint policies locally on the stations. This includes also the possibility of deactivating protection modules such as Antimalware On-Access Scanning, Advanced Threat Control, Hyper Detect, etc. When an endpoint is in Power User mode, the Control Center receives a notification, and the Control Center administrator retains the ability to override local security settings if necessary. Power User password should be strong one and known only by security administrators

Bitdefender Self Protect functionality provides silent protection for its processes. This critical Anti-Tamper feature is automatically activated and cannot be modified by users, ensuring the highest level of security for Bitdefender's core components. It operates at the file, registry, and process levels, actively preventing unauthorized actions such as altering or deleting product files, modifying or removing registry keys, and halting processes.

To stop malicious processes from modifying our security solutions, we use a minifilter driver to actively monitor the handles of new processes and the registry. By examining the rights associated with these handles, we eliminate dangerous access rights requested for the handle (such as the "PROCESS_TERMINATE" right) or prevent any changes to files and registry keys/values used by our security solution.

To enhance security and prevent unauthorized actions, we have successfully implemented an anti-tampering mechanism responsible for granting permission to our authorized processes to carry out specific actions like initiating the on-demand scanner. Through our validation procedure, we ensure that the on-demand process is legitimately associated with us. If the validation is successful, the operations proceed as intended.

Attackers actively employ callback evasion techniques to bypass detection by security systems that rely on callbacks to sniff out malicious activities. These callbacks act as hooks for security software, notifying it of specific system events. Attackers can mask their activity and operate undetected for extended periods by disabling or removing callbacks. To illustrate the sophistication of these attacks, consider a scenario where malicious tools exploit vulnerabilities in legitimate drivers to gain access to the system's core. Once inside the kernel, the attacker can tamper with or disable existing security measures. For example, using the EDRSandBlast tool attackers can exploit an arbitrary write vulnerability in a digitally signed driver. This vulnerability allows the attacker to remove the callbacks responsible for triggering process creation events used by EDR or other security software. By disabling these callbacks, the attacker's malware can freely create new processes without alerting the security software, effectively cloaking its malicious activity.

Completely blocking this attack type can be challenging, as existing countermeasures like driver blacklisting have limited effectiveness against unknown vulnerabilities. However, Bitdefender BEST agent offers a powerful solution embedded within its client Callback Evasion Detection technology (CBE).

CBE actively monitors for suspicious activity and can detect attempts to disable or manipulate callbacks critical for security software operations. For example, each time we detect that callback types such as PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine, and CmRegisterCallback have been removed or disabled by an attacker, CBE technology generates an alert. This proactive detection capability empowers you to identify and address potential threats before they can compromise your system.

CBE goes beyond monitoring callbacks for suspicious activity like process creation, image loading, registry or file modifications. It also boasts the ability to detect the presence of Infinity Hooks placed within the kernel, a tactic employed by advanced attackers to disrupt communication channels. It can identify situations where callbacks from Bitdefender drivers, such as the Advanced Threat Control driver, Network Attack Detection driver, or Firewall driver, have been disabled. This advanced detection capability allows us to report any instances where our drivers are unable to receive notifications about critical system activities, including registry changes, disk access, memory modifications, process creation, network events, or kernel-level actions.

When CBE triggers an alert upon identifying a critical security software callback being maliciously removed or disabled due to an attack granting access to the kernel, your security team can initiate a coordinated response. The GravityZone platform with the BEST agent includes technologies that can then take further actions, such as automated isolating the affected endpoint from the network to prevent lateral movement or rebooting the endpoint. However, it may require further investigation like forensic analysis to determine the scope of the compromise and identify the specific processes and drivers involved in the attack.

Another tactic in their arsenal is Bring Your Own Vulnerable Driver (BYOVD). This technique leverages the trust established by legitimate drivers to gain unauthorized access. Unlike traditional methods, BYOVD exploits vulnerabilities within these trusted drivers. Attackers might embed malicious drivers within seemingly harmless software packages or manipulate existing drivers. Once activated, these vulnerable drivers can be used for malicious activities, allowing attackers to bypass security measures and compromise your system. As an example, we can use the Netfilter driver with CVE-2023-32233. This vulnerability allows unprivileged local users to obtain root privileges.

To counter the BYOVD threat, Bitdefender employs a multi-layered approach that goes beyond basic detection. This includes identifying vulnerable driver risks before they can be exploited on Windows and Linux operating systems. If a threat is detected, BEST can take further actions such as denying access to the vulnerable driver or disinfecting the driver. By continuously updating our database with information on known vulnerable drivers and associated exploits, we enhance our defense mechanisms.

However, a robust defense should extend beyond the BEST agent. To secure your systems effectively implement a proactive approach: continuous monitoring to identify suspicious activity, rigorous patch management to prioritize updates for known vulnerabilities, and user haeducation on the dangers of untrusted applications and driver sources.

Attackers might attempt to bypass Endpoint Detection and Response (EDR) solutions by tampering with Event Tracing for Windows (ETW). ETW is a core Windows logging mechanism that tracks events from user-mode applications and kernel-mode drivers. Tampering with ETW allows attackers to disrupt the logging flow, potentially blinding the system by terminating tracing sessions or removing specific providers from them.

A common user-mode technique involves patching the EtwEventWrite function, responsible for logging ETW events. Attackers can fetch its address in ntdll.dll and replace its initial instructions to return 0 (SUCCESS), effectively blocking event logging generation for certain events from inside the user-mode process.

Advanced Threat Control (ATC), when configured in Normal mode, detects ETW tampering. In the ntdll!EtwEventWrite patching example, ATC can identify memory modifications in UserMode, signaling a potential tampering attempt. Upon detection, Bitdefender EPP can terminate the process responsible for the tampering attempt.