Security vendors respond to Matousec research

Researchers at Matousec said they have discovered a serious flaw in the traditional desktop-based anti-Virus protections offered by thirty-five vendors. The flaw allows someone to completely bypass those protections and attack the targeted system. The Tech Herald spoke to some of the vendors affected. Their statements and thoughts are below.

When contacted, each vendor was asked for a general statement and then asked to answer three additional questions about the Matousec research. Unfortunately, not all of the vendors contacted responded. Those that did gave a statement, commented on the questions, or both.

The questions asked are below.

What is your overall thought on the research?

What are you doing to address the issues raised by the paper?

Are there mitigating issues that need to be addressed that were not included in the research?

Given the headlines, we thought it was fair to allow the vendors impacted by the Matousec research to speak on their own. This follow-up contains their thoughts and nothing more. If you want to read the original story, you will find it here.


“Kaspersky Lab experts have analyzed the paper and concluded the issue is only linked to certain features of the Company's products. The System Service Descriptor Table (SSDT) contains the addresses of all of the operating system services and it is important to use SSDT hooks to provide better protection. However Kaspersky Lab products implement not only SSDT hooks, but a wide range of technologies, including secure sandboxing and other methods of restricting suspicious kernel mode activity.”

(Roel Schouwenberg, Senior Anti-Virus Researcher answered the questions as well.)

1. What is your overall thought on the research?

Well, this research is not new. This attack was first mentioned in the 90s as a theoretical attack and resurfaced in 2003. Since then a lot has changed. Today, security products contain a lot of different layers to protect against unknown malware.

What's important to realize is that this could only affect our products when dealing with unseen malware, which is not blocked or detected by our pre-execution heuristics technologies. Therefore I think that the impact of this vulnerability is limited. The nuisance is that the vulnerability is also exploitable in user mode.

2. What are you doing to address the issues raised by the paper?

Well, I'm not necessarily convinced this approach is going to be widely adopted by malware authors. When we'll encounter malware samples using this technique we can simply add a new heuristics to our engine that will work together with our multi layer defense strategy.

3. Are there mitigating issues that need to be addressed that were not included in the research?

There are no mitigating issues that I am aware of right now. Though I'd like to add that, unfortunately, cyber criminals find ways around security products on a daily basis. Next to that, technique can be hard to implement correctly. So, I don't think this technique is going to be a game changer, and depending on how the bad guys would implement the code we might not have such a hard time detecting such samples before execution heuristically.


"McAfee is aware of an article by researchers at Matousec that describes a way cyberattackers might be able to bypass numerous Windows security applications. Based on our initial review of the public documentation, we believe this is a complicated attack with several mitigating factors that make it unlikely to be a viable, real world, widespread attack scenario. For example, the attack would require some level of existing access to the target computer, as the attack described by Matousec does not on its own bypass security software or allow malware to run."


Comment from Catalin Cosoi, Senior Researcher for BitDefender.

“Matousec described a very specific set of circumstances that need to be in place for this type of attack to be successful - as they point out, the attacker must already be able to run executable code of the user's machine. Our solution is focused on preventing initial attacks. That said, we take every potential vulnerability seriously, no matter how unlikely, and we're devoting resources to make sure this doesn't present a realistic threat to our users.”


Comment from David Harley, Director of Malware Intelligence for ESET.

“It's not exactly a new idea, except, apparently to Matousec, and except in the slightly misleading suggestion that it's specific to antivirus. It's actually a far more generic issue."

“If a specific malware threat appears that makes use of it, the AV industry will certainly address it specifically in the usual way. Now the idea has attracted so much attention, security developers may look at whether it is possible to forestall more-or-less generically tricks inspired by Matousec's re-interpretation of older research.

[See also: -ED]

“However, to suggest that "today's most popular security solutions simply do not work" on the strength of a long-known race condition issue in the operating seems a little overstated.”


Sophos’ Senior Security Advisor Chester Wisniewski answered the three questions.

“It does not have an impact on Sophos products. While it may be interesting from a theoretical standpoint, it requires your machine to be infected with malware first, in which case all bets are off. The goal is to prevent infection in the first place. It also has requirements on hardware such as needing multiple cores and expects certain protective behaviours. To implement the attack on a single core would be quite complicated and not likely worth pursuing compared to other vulnerabilities that are easier to execute with similar results.”

“There does not appear to be a risk to our product. If malware were released that attempted to use these techniques (There is no indication this attack is in the wild) we would detect it using our traditional layered defences. The key here as with any threat is to have defence in depth and ensure as many opportunities to stop a threat as possible.

“Like any other malicious code if it were to be developed and utilized detection methods could be used to prevent the code from  executing. Our software does not use the defences outlined in the paper, so no further mitigation is necessary. If code were to be developed in the wild we would write protection against it like any other malware whether it has an impact on our product suite or not.”


Comments from Vincent Weafer, Vice President, Symantec Security Response.

“Symantec is aware of the research. This is a narrowly focused test that examines potential bypass techniques for any security solution that implements kernel mode hooking. This is precisely why Symantec adds multiple layers of security to our products in order to prevent malware, and in this case, even the code that would facilitate the substituting of benign code for malicious code, from getting onto users’ computers in the first place. In particular, Symantec’s Intrusion Prevention (IPS) and Reputation-Based Security play a large role in blocking these types of threats. These additional layers of defenses were not examined as part of the investigation.”

Sunbelt Software:

Sunbelt Software Chief Technology Officer Eric Site emailed gave the following comment.

“The blog published a possible attack method that could be used for researching actual vulnerabilities. All of the security products he listed may or may not be vulnerable to this method of attack.”

“VIPRE uses SSDT hooks only for older version of Windows and then only sparingly where APIs provided by Microsoft don't exist or are too buggy to use. VIPRE does not use SSDT hooks for 64-bit versions of Windows because of Microsoft's PatchGuard technology and Microsoft new APIs for security software. That said we are reviewing our drivers to make sure our products are not vulnerable to the method of attack.

"If any of the vendors' security products do have an actual vulnerabilities to this attack method it is very sad that did not use responsible disclosure and give the security vendors time to review their products before publicly disclosing this information and putting everyone at risk.

“ notified us about the attack method and possible vulnerability on April 20th and then promptly released this information on May 5th which does not give any vendor time to review tens or hundreds of thousands lines of code to hunt for possible vulnerabilities. And no time at all to fix, test and deploy updated versions of security products. This is very sad and very irresponsible."


Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.