Deceptive Bytes found detection issues in Symantec Endpoint Protection

In previous posts we explained that traditional Anti-malware software is not working anymore and we gave tips on how to improve your security with non-security tools.

But why is your Anti-malware not enough? One of the reasons is that it doesn’t handle changes too well (which is commonplace knowledge among security experts).

Background

Malware uses different tricks to prevent its detection, or at least delay it as much as possible:

  • Polymorphic code (a way to change the code but keep its algorithm intact) to create many “different” samples that behave the same but are identified differently by Anti-malware software.
  • Evasion refers to different tactics malware uses to check if it’s being tested by security systems and researchers
  • Use different types of files like documents to infect endpoints, e.g.: malicious macros in Microsoft Office documents
  • and the list goes on…

Test-case: Symantec Endpoint Protection

Symantec is a veteran and one of the largest security firms in the world. Its endpoint suite for businesses “Symantec Endpoint Protection” (SEP) is one of the most used solutions world-wide and includes both traditional anti-virus capabilities and machine learning & behavioral analysis (according to their website).
But still it suffers from missed detections and there are ways malware authors can bypass their engine.

 

Malicious Macros

We started off easy by trying to tackle SEP with Pafish-Macro, a malicious document demonstration by JoeSecurity that employs evasion techniques in Microsoft Office documents.

As seen in the video, SEP blocks the download attempt from its origin but fails to detect it when we ran the macro from a newly created document.
This indicates that SEP only identifies the original file specifically and cannot detect any of its variants.

Rebuilding code #1

Our second test was Al-Khaser, a know demonstration program of malware behavior and evasion techniques.

While SEP detected the original build from the author, it failed to detect it is as malicious when we built it from the source code and SEP allowed it to execute without interruptions. Since Al-Khaser employs malicious techniques used by malware, threat actors could potentially bypassed SEP’s engine easily by recompiling their code (using different compilers, different compilers versions or modifying other attributes that are used to identify a file as malicious).

Rebuilding code #2

In our third test we tested a regular, legitimate executable which we have the source code and can recompile again.

SEP falsely recognizes the original file as malicious and quickly blocks its execution. At the same time SEP causes high CPU spikes, limiting and slowing other operations on the endpoint.
When we recompiled the source code, the newly created executable was not detected as malicious and was allowed to run uninterrupted, similarly to Al-Khaser.

Symantec’s response

Symantec was quick to respond and claimed that these are simple cases of false-positives and false-negatives and that they have fixed the issues.

Updated Results

From our updated tests

  • Symantec’s engine still doesn’t recognize new builds of Al-Khaser (both x86 and x64)
  • It detects new documents of Pafish-Macro, but only if the code has not been modified (even changing whitespaces prevented its detection)
  • Symantec did however fix the false-positive

Conclusion

While these specific issues were [partially] fixed, the inherited problem is far from solved and the problem is not limited to a specific engine, and even machine learning and AI capabilities do not necessarily compensate where signatures are lacking.
With services like VirusTotal, one can easily find malware that goes undetected even after long periods and by known vendors (including next-gen ones), e.g. NotPetya, Kryptik ransomware, etc…
As threats are evolving, old Anti-malware engines cannot stop unknown and sophisticated attacks without new technologies and different tactics.