Illusion Gap Attack Used to Bypass Windows Defender

The exploit requires a user to be lured into downloading a file from a malicious SMB (Server Message Block) server, a type of server commonly used to provide shared access to resources. Scanning for malicious files using Defender works by requesting two copies of the file from the SMB server, one for Defender to scan and the other for the Operating System (OS) to execute. The attack essentially tricks Windows Defender into scanning a clean file after requesting the file to scan, whilst the malicious file is sent to Windows PE (Preinstallation Environment) Loader, which then runs the malicious file. The level of risk concerning this exploit will depend on whether it works on other antivirus software. In the likely case that an organisation is using other antivirus software, then this will essentially render the exploit useless, should that specific software be unaffected.

In order for an attack to be successful, an attacker must firstly get a user to download a malicious file. Strong social engineering must be used in this case as the user is connecting to an untrusted SMB server. Once Defender scans the clean file, the malicious file will then be given the green-light to execute, with Defender thinking that they are the same file. In theory, this exploit would allow any known malware to execute, assuming the attacker is able to get the file onto a user’s system and is then able to get them to execute it.