I read about a form of malware that is using Windows' own software to block enterprise security software from doing...
its job. Can you explain how this malware works? What other measures should be put in place if the ones we have can be blocked?
While this technique is not as common as trying to kill the processes related to antimalware tools that allow them to run effectively, it is potentially more effective. Antimalware tools have built-in defenses to prevent an attacker from just killing application processes, deleting files or uninstalling software. While using SRP to disable antimalware is difficult -- it would require correctly configuring the policy to block any potential antimalware tool -- Vawtrak uses an initial downloader to get onto the system and execute the malicious code to infect it.
Vawtrak uses Windows SRP to try to disable 53 different antimalware tools. By putting the path to the executable files used by the antimalware tools into a SRP list, Vawtrak prevents them from running on the system, and therefore disables the antimalware tool.
Generally, traditional endpoint antimalware troubleshooting doesn't look into the SRP configuration. However, starting a system from safe mode or connecting the infected hard drive to a known secure system with updated antimalware definitions could potentially remove the malware.
Enterprises can use the same steps that protect endpoints from malware to protect against Vawtrak, but should verify that the tools can detect it and other malware that is attempting to make changes to SRP or other whitelisting tools. Host-based intrusion detection tools that monitor for host-based changes could also detect the changes from Vawtrak.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)
Learn more about advanced malware detection
Get help assessing antimalware protection
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.