2 min

Attacks on Windows Defender and Kaspersky EDR allow remote file deletion. Even after patches, hackers can still exploit these tools’ vulnerabilities.

In a presentation at Black Hat Asia, security firm SafeBreach revealed that Windows Defender and Kaspersky EDR are vulnerable to remote-access attacks that can delete files from affected systems.

The security tools can be manipulated to mistake legitimate files for false positives or malicious files and then delete them. However, cybercriminals must first have access to the files and/or databases to do this.

Afbeelding met een boekomslag met de titel "edr = erase data remotely" van tomer bar en shmuel cohen, waarop een robot is afgebeeld met een rode "reloaded"-stempel erboven.

Attack Strategy

The attack is possible due to the byte signatures. Microsoft’s Windows Defender and Kaspersky EDR use these unique sequences of bytes to detect malware.

When hackers manage to introduce incorrect byte signatures into the underlying databases, the security tools detect potential malware and remove the files without “knowing” that they are legitimate files to which the byte signatures have been added.

In one test, security researchers used a rogue byte signature they found on VirusTotal. They put this into a database by creating a new username that contained the rogue byte signature.

The EDR program used (the researchers focused here on Windows Defender) then determined that the database was infected with malware and, therefore, deleted the manipulated file.

From this, the researchers concluded that security software can do this to entire databases and VMs as well, thus having major consequences. Ultimately, this could have major implications for the operation of various applications that depend on databases.

The study explicitly focused on Windows Defender because the vulnerability may have major implications for Azure cloud environments.

Reactions Microsoft and Kaspersky

The researchers already notified Microsoft of the vulnerability early last year. The tech giant released a patch in April 2023. Nevertheless, Windows Defender was still vulnerable to another byte signature that SafeBreach discovered in August 2023.

Again, the tech giant was notified, and the issue was fixed in December last year. The researchers warned Microsoft a third time, but Microsoft indicated that all measures taken were sufficient to minimize the risk.

Kaspersky did not initially release a fix for its EDR product. However, a patch that addressed the problem was released later. SafeBreach’s security experts give no assurance that this measure is sufficient to prevent further byte signature attacks.

Incidentally, not only Microsoft and Kaspersky’s platforms are susceptible to EDR manipulation. Palo Alto Networks’ Cortex XDR platform also appears to be susceptible to this, SafeBreach’s security experts discovered.

Also read: Microsoft test sandbox for Windows Defender