The POCs have been tested with the latest version of Windows 10 and Server 2016. They will likely wok on other flavors of Windows without changes. The antivirus products that I was able to disable remotely, even if they had their flavor of password-protected anti-tampering settings are Windows Defender, Avast, Bitdefender, Kaspersky and F-Secure.
Requirements: Local admin rights are needed on the victim's PC (very common for home users). For a remote exploit, this POC additionally requires the attacker to have access to the remote C$ share and to be able to schedule tasks remotely. Note that this however is a common scenario for IT tech support staff - if just one of them is tricked into executing the exploit, this could cause all AV protection on all Windows endpoints in the corporate network to be disabled.
Skip to the bottom of the page to view a screencast of the demo and to access POC scripts that can disable Windows Defender, Avast and Bitdefender as examples. Continue reading instead if you want to find out why I'm releasing this publicly.
On October 2nd, 2020 I contacted Microsoft Security Response Center to report how I discovered a design flaw in Windows 10 / Windows Server which allowed for a very simple way to easily disable most antivirus products, including their own Windows Defender. My technique can be exploited remotely, and works even when the antivirus is password protected using the vendors's various advanced tamper protection features of their products.
I provided a working POC with the exploit, consisting of a simple .bat file that could be used to either disable the antivirus on the local machine, or to disable the AV on a remote machine. There is a requirement - you need to have local admin rights on the target endpoint. More on that later.
Microsoft Security Response Center closed the case replying back as follows:
===================== case VULN-034200 CRM:0461166299 =======================
Upon investigation, we have determined that this submission does not meet the bar for security servicing. This report does not appear to identify a weakness in a Microsoft product or service that would enable an attacker to compromise the integrity, availability, or confidentiality of a Microsoft offering. As submitted this attack requires administrative privileges. Reports that are predicated on having administrative/root privileges are not valid reports because a malicious administrator can do much worse things.
As such, this email thread has been closed and will no longer be monitored.
===========================================================================
On October 6 I then re-submitted a new case (VULN-034538 CRM:0748000095), pointing out that:
1. If a large company had for example 100 users who were local admins to all the company's workstations (ex. desktop/helpdesk staff) or their server admins, all I had to do was to trick ONE of them to launch a .bat file to disable antivirus protection on ALL of the endpoints in the company.
2. Many Windows home users are local admins to their PCs
3. That the whole point of implementing tamper protection on antivirus files, folders and Windows servers is to prevent even local admins to disable AV protection. Has any of you tried to stop your AV services? You can't! That's the whole point of my exploit.
My 2nd attempt to convince Microsoft to how serious this vulnerability was failed again, resulting in the same pre-packaged response I received earlier.
As the flaw resides in Windows' itself, there is little the other antivirus vendors can do to secure their products against this attack. Due to this, I've decided to make the technique public, as this (making it public) was the only way I convinced Microsoft to fix a huge flaw in their digital signature verification in Outlook several years ago.
Below is a screencast showing how I can remotely disable both Windows Defender and Avast on a different computer.
This is the .bat file I used for the exploit:
Avast-DisableAV-Remote.bat.txt
The same script can be used to disable F-Secure simply by substituting the folders and service names that F-Secure uses. The same will apply to several other vendors.
There have been two AV products in my testing that stopped the script from completing due to their behavioral malware detection. Bitdefender and Kaspersky were two examples. For both of them all that was needed was to schedule each command separately with Task Scheduler to run in 1-minute intervals. This is for example the script tailored to disable both Windows Defender and Bitdefender: Bitdefender-DisableAV-Remote.bat.txt
Author: Roberto Franceschetti