11/10/2023 0 Comments Windows update says i have trend microTrend Micro continues to deny my claims that they are cheating Microsoft's certification standards, but their lack of an explanation only reaffirms my position. "Trend Micro must be held accountable for their extremely questionable code. "Why not use NonPagedPoolNx all the time for systems that support it? There is no reason I can think of. "It just doesn't make sense that they would add extra code and go out of their way to check for it," Demirkapi told The Register. Demirkapi, and your humble vultures, remain puzzled, though, as to why the Rootkit Buster would need this WHQL detection code in the first place, even for testing or debugging purposes. That would suggest Trend Micro didn't intend to deliberately swerve Microsoft's certification checks. "As for the allegation that Trend Micro is somehow trying to work around Microsoft’s certification process, we want to again make clear that this is indeed not the case and we are working closely with our partners at Microsoft to ensure that our code is in compliance with their rigorous standards." We are working closely with our partners at Microsoft to ensure that our code is in compliance with their rigorous standards Out of an abundance of caution, we have taken down the current version of the tool from our site while we evaluate and remediate. 'A potential medium-level security issue'īefore the weekend, and after we noticed the Rootkit Buster software had disappeared from its website, a Trend spokesperson told us it removed the product after discovering an unidentified vulnerability: "While investigating claims in blog, our development teams identified a potential medium-level security issue and are working to ensure it is properly and quickly resolved. Trend Micro has ignored our repeated requests for an explanation as to why its software altered its operation specifically while under test, though it insisted "at no time was the Trend Micro team avoiding certification requirements." A spokesperson for Trend was not available for immediate comment on the move to block the driver on Windows 10. We note that while the driver appears in other Trend Micro products, they may not necessarily be using the now-blocked driver, or may have received a suitable hot fix, and thus will continue working on Windows 10 20H1. If successful, it changes the pool type for the driver to 0x200, or 512, which is the non-executable pool. Reconstructed C from driver's machine code by Hopper, showing the check for Windows 10, or higher, and the verifier detection call. If it cannot detect the verifier, it returns the value zero. The function IsVerifierCodeCheckFlagOn() at 0x180030b23 checks the value of the registry key VerifyDriverLevel, which indicates whether Microsoft's driver certification test is running. Thus, the driver by default allocates from the executable non-paged pool, which would fail the certification test. This variable is passed to the kernel whenever the driver allocates memory. This variable holds the pool type: zero being the executable non-paged pool. that shipped with Rootkit Buster.īy default, it sets a variable at 0x18005aa4c to zero. The Register has verified Demirkapi's findings by reverse-engineering the driver code, specifically version 7. It is not clear why Trend's software does this it may be because using the non-executable pool triggers bugs within its code. However, if it doesn't detect the presence of Microsoft's driver verifier software, it draws from the executable non-paged pool, which is insecure and would cause it to fail the certification test. If the Trend Micro driver detects it's running on a computer undergoing WHQL testing, it requests from this specific non-executable pool as expected. By doing this, exploits that attempt to run malicious code injected into a driver's memory via a vulnerability are hampered. One of the requirements is that, for security reasons, the driver requests memory only from the operating system's non-executable non-paged pool of available RAM. Tech's Volkswagen moment? Trend Micro accused of cheating Microsoft driver QA by detecting test suite READ MORE
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |