EDR Flaw Exposes Microsoft Defender, Kaspersky to Remote File Deletion

EDR Flaw Exposes Microsoft Defender, Kaspersky to Remote File Deletion
EDR Flaw Exposes Microsoft Defender, Kaspersky to Remote File Deletion

Researchers at SafeBreach found flaws in Microsoft Defender and Kaspersky Endpoint Detection and Response (EDR) that could potentially allow remote deletion of files.

These products use byte signatures to detect malware, and the researchers found a way to implant malware signatures into legitimate files, making EDR falsely detect them as malicious and delete them.

The researchers tested their technique on a database, which was deleted when EDR was set to delete infected files. They also found that registering as a new user on a website with a name containing a byte signature could cause EDR to perceive a database as dangerous.

SafeBreach reported their findings to Microsoft in January 2023, and a patch was issued in April. Kaspersky did not release a fix at that time, claiming the issue was not a security vulnerability.

The researchers tested Microsoft's patch and found a way to bypass it, which they reported to Microsoft in August 2023. Microsoft acknowledged their work and released a second patch in December.

The researchers were able to circumvent the second patch using a PowerShell command, and Microsoft cited its Security Servicing Criteria to state that the bypass alone does not pose a direct risk.

The researchers believe that the problem is deeply rooted in Defender and would require a

newsid: ctp5e4rmt4dm3uf

Related stories
4 days ago - Major software vendors have addressed numerous security vulnerabilities, including critical and publicly exploited flaws in Windows, macOS, Chrome, and other products.
2 weeks ago - Microsoft warns of "Dirty Stream" vulnerability affecting billions of Android devices, allowing attackers to control apps and steal user data.
2 weeks ago - Microsoft has decided not to automatically fix a Windows 10 error that prevents the installation of a BitLocker security patch, requiring users to manually resize their recovery partition.
2 weeks ago - A WordPress plugin vulnerability (CVE-2024-27956) allows hackers to take over websites, manipulate data, and upload malware.
3 weeks ago - Google patched a security flaw in Android TV that allowed attackers to access Google accounts by sideloading apps.
Other stories
15 minutes ago - Brace for the fall out - It looks like the next season of Fortnite will feature Fallout in some capacity. Over the weekend, Epic Games tweeted an image of so...
15 minutes ago - When we're in a war, everyone must do their part. In Helldivers 2, that means fighting hard and doing everything you can to spread democracy and freedom
15 minutes ago - Apple's next-generation AirTag item tracker is on track to launch in mid-2025, Bloomberg's Mark Gurman reports. In his latest "Power...
15 minutes ago - The new iPad Pro has its own Magic Keyboard option. Some users have asked whether they could save money by sticking with an old Keyboard. Here’s the answer.
15 minutes ago - MacBook Pro laptops are displayed during Apple's Worldwide Developers Conference (Photo by JOSH ... [+] EDELSON/AFP via Getty Images)AFP via Getty...