In this Section

Security Advisory – Emsisoft Anti-Malware Behavior Blocker Bypass

pdf_symbol

Sense of Security – Security Advisory – SOS-17-001

Release Date. 10-Feb-2017
Last Update.
Vendor Notification Date. 20-Jan-2017
Product. Emsisoft Anti-Malware
Platform. Microsoft Windows 8/8.1/10
Affected versions. a2hooks32.dll 10.0.0.218
Severity Rating. Medium
Impact. Security bypass
Attack Vector. From local system
Solution Status. Vendor patch
CVE reference. Not yet assigned

 

Details

Emsisoft Anti-Malware injects user mode hooks into each running process via a2hooks32.dll. The hooks allow Emsisoft Anti-Malware to analyse the behaviour of the process and alert the user when malware actions are suspected, such as listening on a port or interacting with other processes.

The issue exists in the dynamic library a2hooks32.dll as it can be unloaded from memory without alerting the user. A malware developer can unload the hooks to bypass the Behavior Blocker.

Please refer to the PDF version of this advisory for proof of concept code examples.

Solution

Emsisoft fixed the issue in the latest version by making the hooks DLL statically linked.

Discovered By

Ayman Sagy from Sense of Security Labs.