Security News > 2024 > April > Researchers claim Windows Defender can be fooled into deleting databases

BLACK HAT ASIA Researchers at US/Israeli infosec outfit SafeBreach last Friday discussed flaws in Microsoft and Kaspersky security products that can potentially allow the remote deletion of files.

Speaking at the Black Hat Asia conference in Singapore, SafeBreach's VP of Security Research Tomer Bar and security researcher Shmuel Cohen explained that Microsoft Defender and Kaspersky's Endpoint Detection and Response can be made to detect false positive indicators of malicious files - and then to delete them.

The attack relies on the fact that Microsoft and Kaspersky use byte signatures - unique sequences of bytes in file headers - to detect malware.

The researchers found in their experience that the file deletion by EDR was irreversible from within the security tools - restoring data meant reverting to backups.

The tech giant cited Microsoft Security Servicing Criteria for Windows, stating a "Bypass of a defense-in-depth security feature by itself does not pose a direct risk as an attacker must also have found a vulnerability that affects a security boundary or they must rely on additional techniques such as social engineering to achieve the initial stage of a device compromise."

Microsoft's position is that users can block the attack vectors through means such as putting files in protected folders that Defender won't touch, changing configurations, and other mitigations.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/04/22/edr_attack_remote_data_deletion/