On different social media this article actually gets tremendous coverage: KHOBE – 8.0 earthquake for Windows desktop security software. Now, before you read the rest here, I am not an AV-specialist nor do I have very deep, deep knowledge on the details of our file system drivers and the Windows kernel. I just try to apply common sense to this attack:
I was reading through the article and I definitely understand that if you are able to publish a table with almost all the AV-vendors being flagged as “vulnerable” you may drive some attention to your website and to your work. If we do not find one single AV-solution which is not vulnerable in the table, it is kind of strange to start with – oh, it just seems that they forgot to mention a few – but still you make a lot of noise which seems to be the goal here!
Now, applying common sense to what they did: My understanding is that you have to own the box in order to run the attack – if I am not completely mistaken, you have to be admin to run the attack. Wow, now I am really scared of this: If somebody owns my box, is admin on my box, the most important thing they will do is to apply an attack, which involves having the right timing in place, to switch off my AV? Come on. You just switch off the AV by using a script or do it manually but for sure not with a complex attack.
This is simple risk management. If your biggest risk in your security model is that an attacker, who is already admin on a box applies this attack – I have to congratulate you. If not, well, let’s go back to the real problems we have to address.