jxy-s
commented
9 months ago Have you reported this to Avast?
Closed DavidOsipov closed 5 months ago
jxy-s
commented
9 months ago Have you reported this to Avast?
DavidOsipov
commented
9 months ago Have you reported this to Avast?
No, I'm unsure whether it's a false positive
jxy-s
commented
9 months ago The driver is attestation signed by Microsoft. You can also verify the hash matches the checked in file https://github.com/winsiderss/systeminformer/tree/master/KSystemInformer%2Fbin-signed. If so, it is a false positive.
DavidOsipov
commented
9 months ago Recently an attack technique called bring your own vulnerable driver (BYOVD) emerged. The driver can be with a digital signature, but having vulnerabilities inside, it can open doors to attackers. More info: https://cybernews.com/security/bring-your-own-vulnerable-driver-attack/
Thus the driver having a digital signature doesn't mean it is not a vulnerable one. In order to somehow mitigate the issue, Microsoft has their own vulnerable driver blocklist . Might be that Gen Digital found a vulnerability in SystemInformer driver and is blocking it.
jxy-s
commented
9 months ago Avast (or anyone) needs to report vulnerabilities to us by following our Security Policy and do so with responsible disclosure in mind. We have not received any information on vulnerabilities in our software. So, as I see it, this is a false positive.
My recommended steps are to report this to Avast as a false positive and request they follow responsible disclosure per our security policy.
DavidOsipov
commented
9 months ago That's weird from Avast, I thought they at least managed to report. Ok, I've reported this incident to them, but I guess if more people would do the same, Avast would react faster For now, I'll wait for their answer.
DavidOsipov
commented
9 months ago 4 days past - nothing has changed.
DavidOsipov
commented
9 months ago Received an answer:
Can't figure out how to interpret it. I'll just invite them to this issue.
Masamune3210
commented
9 months ago That is fear-mongering and nothing more. They refuse to fix the tool, instead trying to push the user to "make the right decision"
They haven't changed a bit I see....
jxy-s
commented
9 months ago Avast Premium Self-Defense module that protects the application installation from deactivation or uninstallation.
"Vulnerable Driver" is a poor classification (or choice) for protecting their software from deactivation or uninstallation. System Informer can not terminate their software without appropriate user privilege to do so.
I guess they're concerned about our ability to terminate their UI processes?
DavidOsipov
commented
9 months ago The customer support professional was helpful and he suggested I upload logs to Avast servers, hoping their engineers would state the exact reason the driver is vulnerable. Wait mode activated:
pokanoka
commented
9 months ago I can give some insight on this issue. From the other side.
While many malware analysts are competent, and some are quite exceptional, the bulk of them is just simple, overworked people. They can open IDA Pro, but often can't code at all, and often can't find any vulns either. Some of them manually analyze hundreeds of samples each day. So they just have no time to properly analyze driver of some obscure product called "SystemInformer" and confirm if it's vulnerable or not. But they do have "ProcessHacker" driver in their database, which they already detect as vulnerable. So when AV system receives "SystemInformer.sys", it gets matched by similarity to the "ProcessHacker.sys". And then either new signature gets generated automatically as "ProcessHacker.VulnDrv.12345", or analyst receives a ticket to make a decision (since the driver has valid signature after all). And if it so happens that analyst who picked up the ticket is overworked, he won't bother truly checking the driver. He'll just see current similar binary, google strings from it's version info, and make haste decision "ah, it's just renamed ProcessHacker which can terminate our process". Voil-la, you get the detect.
Some analysts from other AVs will also check detections from their competitors. "Ah, this product detects it with non-generic, precise name 'SystemInformer', so they must have analyzed the binary and confirmed it's vulnerable. Let's detect it too". And so the detection proliferates.
Of course, this behavior of AV companies is unacceptable. To solve the issue, you must push them pretty hard and as early as possible. Ask them to add driver to the exclusions (providing short explanation of the situation and difference between PH and SI drivers). You may even have to hint at possibility of suing the AV company because of reputational damages.
DavidOsipov
commented
9 months ago Today I've received the answer :)
The problem is still not fixed on my side, but 24 hours haven't passed yet. Once the problem is fixed, I'll let you know.
DavidOsipov
commented
9 months ago I can confirm, that Avast no longer blocks the driver from execution. It can't be run still because it isn't compatible with Windows 11 23H2, but that'll be fixed by the maintainers. I'll close the issue tomorrow, or any maintainer can feel free to close it as resolved.
DavidOsipov
commented
9 months ago Once I updated the SystemInformer to version 3.0.7407, the issue reappeared. I've sent a message to Avast.
jxy-s
commented
9 months ago Once I updated the SystemInformer to version 3.0.7407, the issue reappeared. I've sent a message to Avast.
The timing was unfortunate, we just released an updated driver. They likely have some rule that is auto adding new driver builders that needs removed. Thanks for continuing to chase this @DavidOsipov. I greatly appreciate your persistence.
DavidOsipov
commented
9 months ago Can't just drop this :) I have been using Process Hacher for more than 7-8 years and find it one of the most useful tools out there. I wanna them fix this once and for all.
Masamune3210
commented
9 months ago unfortunately, you are swimming up river in this instance. AV manufacturers have history with this, getting issues fixed only to have to start over the second a new release of a open source project comes out. Emulators and drivers especially fight with it constantly. I wish you luck though
DavidOsipov
commented
8 months ago New answer from Avast puzzles me a bit:
The driver itself is signed by Microsoft, I guess they've checked the safety of the driver before signing it, so why should it block it?
Any ideas on how to resolve it? @jxy-s @Masamune3210
jxy-s
commented
8 months ago The driver is subverting Windows security model by allowing privilege access to kernel objects on behalf of the user.
This statement lacks adequate information. What is being subverted in the Windows security model? I will not speculate on what the person behind this statement means. Given the information provided, I can only respond broadly.
The Windows security model itself allows privileged access to kernel objects on behalf of the user. Everything the driver does can already be achieved natively or using other tools provided by Microsoft. Per the Windows security model, the driver has privilege checks to ensure the calling process has adequate rights to perform the actions requested by the user. We are even more restrictive than usual. We have extended security checks in place that go beyond what is natively provided by the operating system. From our documentation, "Access is strictly limited to verified callers. Access is restricted based on the state of the calling process. This involves signing, privilege, and other state checks. If the client does not meet the state requirements, they are denied access."
The original driver kprocesshacker.sys is blocked even by Microsoft, but Microsoft didn't block the new one yet. However, this new driver contains the same issue as the old one, so Avast blocks it.
This is not an accurate statement. This indicates to me that they have not taken the time to understand the topic.
We have not been notified of any vulnerabilities in the driver by Microsoft or any other party. If Avast is aware of a vulnerability, we ask that they follow the security policy here. We have been in communication with Microsoft on multiple subjects, and I have seen no intent from Microsoft to "block the new one." The interactions we've had with Microsoft indicate the opposite.
Any ideas on how to resolve it?
My recommendation is to encourage Avast to provide a vulnerability report to the maintainers following the policy here. Beyond that, take Avast's own recommendation to disable their driver-blocking feature.
Masamune3210
commented
8 months ago I wouldn't get your hopes up for avast actually putting any actual effort into doing their job correctly. Its much easier to block things and move on, its not like they get paid or at this is their whole job or anything....oh wait
fade2gray
commented
8 months ago @jxy-s Can I point out that double-negatives can cause confusion:
Nothing the driver does cannot already be achieved ...
"Everything the driver does can already be achieved ...", perhaps?
jxy-s
commented
8 months ago @jxy-s Can I point out that double-negatives can cause confusion:
Nothing the driver does cannot already be achieved ...
"Everything the driver does can already be achieved ...", perhaps?
Sure, I've edited my statement with your suggestion, thanks.
DavidOsipov
commented
8 months ago I meant how to resolve it in a way to convince them to reconsider the driver as vulnerable or provide detailed info about vulnerability. I'll send them your text hopping they would provide meaningful info.
diversenok
commented
8 months ago Apparently they assume that KSystemInformer.sys is just a renamed version of KProcessHacker.sys, which is wrong. They should definitely reevaluate their judgement.
jxy-s
commented
8 months ago I meant how to resolve it in a way to convince them to reconsider the driver as vulnerable or provide detailed info about vulnerability. I'll send them your text hopping they would provide meaningful info.
You're also welcome to include me in the emails if you think it's appropriate.
pokanoka
commented
8 months ago I think you might need to put more aggression in your communication with Avast. So far it goes via https://github.com/winsiderss/systeminformer/issues/1908#issuecomment-1848170220 scenario. Their support makes a ticket, ticket finds reflex-driven analyst who doesn't care and doesn't want to spend even 3 minutes on the issue, so it just compares similarity score with existing binaries in their db. So it's not even Avast official stance, it's just unlucky ticket roll to a single wrong analyst.
You may try to appeal to the support with explicit request for the issue to be handled by senior malware analyst. Might have to threaten with escalation to the company's higher-ups and even legal action. In fact, some adware companies got their binaries detect [wrongly] removed just by employing aggressive tactics.
Also don't hesitate to repeatedly restate main points in your further communications with Avast, because previous messages may not reach the analyst who'll be doing reevaluation. But try to be brief, they don't like to read:
JeeveStobs
commented
8 months ago Any timeline or ETA from Avast when this false positive will be corrected?
DavidOsipov
commented
8 months ago @pokanoka thank you for the suggestion. I guess I'll use your advice quite soon, because Avast hasn't replied to me yet
@JeeveStobs they think there is no problem, I think there is. Once they acknowledge the issue I'll ask them for an ETA. But for now, we have to convince them the driver is not vulnerable. And I think we have much more strong arguments than they do.
DavidOsipov
commented
8 months ago Checked on them once again - I need estimates or ETA on the estimates at least.
DavidOsipov
commented
7 months ago Avast successfully ignored my 4 letters. I will still ping them nevertheless
Masamune3210
commented
7 months ago They aren't going to change it because they do not care. Avast, and most other companies in the anti-virus/anti-malware business are so far up their own arses that getting them to ever admit they are wrong is a miracle in and of itself, forget actually getting them to do something about it
dmex
commented
7 months ago so far up their own arses that getting them to ever admit they are wrong is a miracle in and of itself, forget actually getting them to do something about it
This is what we had 6 months ago:
This is what we have today:
https://www.virustotal.com/gui/file/96a37b18ede4b5bc616822c023b1b8cd85b3a76b205229701e21d75ea101b57c
You'd be surprised with some of the work and discussions behind the scenes. @jxy-s and I have been receiving positive feedback from vendors and no failures 🥳
we have to convince them the driver is not vulnerable
A security vendor is supposed to determine if something was vulnerable without a pinkie swear promise?
They have an agreement with Microsoft for submission and sharing of samples/exploits/vulnerabilities and other information... Microsoft would immediately block our binaries if they have evidence of a vulnerability but we've heard nothing from Microsoft and this thread was created almost 5 months ago.
The more this drags on, the more it becomes an issue for Microsoft because they've been doing these reports and audits, allowing us to sign kernel drivers and other things while Avast keeps claiming there's vulnerabilities and it's going against the quality of work and auditing by the MSRC - Clearly Microsoft's audits were very poor, knowingly signing kernel code with vulnerabilities and a risk to millions of devices?
Avast can confirm with Microsoft if their vulnerability is valid - Microsoft would notify us via the partner portal.
Masamune3210
commented
7 months ago so far up their own arses that getting them to ever admit they are wrong is a miracle in and of itself, forget actually getting them to do something about it
You'd be surprised with some of the work and discussions behind the scenes. @jxy-s and I have been receiving positive feedback from vendors and no failures 🥳
I am, indeed, surprised. I'm glad that you guys are actually able to talk to a person for once, considering the alternative is usually either a bonehead or a support bot
instantsc
commented
6 months ago @dmex is this detection change just a result of talking it out individually with each product's team or were there some code changes that helped as well? Interested what those might be if any.
DavidOsipov
commented
6 months ago Hey guys! I was completely ignored in the previous support ticket so I've created a new one. Will try one more time
DavidOsipov
commented
6 months ago Ok, now I'm pissed - I've asked them for ETA on their response a week ago!! Shit, I've been a product manager in a B2B company and even my guys haven't ignored customers like this. I've sent them my angry letter.
Masamune3210
commented
6 months ago my previous point stands firm
DavidOsipov
commented
6 months ago @Masamune3210 Yes, but I just can't give up - tomorrow I'll open a new support ticket and will keep opening them until they reply. It's just a huge disrespect from their side.
DavidOsipov
commented
6 months ago Opened a third ticket.
Masamune3210
commented
6 months ago I guarantee that you will get no answer, you will find another AV solution, and 5 months to a year from now, you will get a email out of the blue saying that they are sorry they took so long to get back to you and that the issue has been fixed in the latest update that definitely totally doesn't completely not fix the issue they promise
DavidOsipov
commented
6 months ago You're right - they haven't even answered in the new one. Tomorrow will try through their chat support, not an email one. But that's just a facepalm
DavidOsipov
commented
5 months ago I've contacted them via Customer Support chat, asked their manager to contact me immediately and... no response!! 2 days have passed. They are great at ghosting
dmex
commented
5 months ago I'm closing as resolved since there's no detections from Avast 🤷♂️
JeeveStobs
commented
5 months ago Great success!
DavidOsipov
commented
5 months ago @dmex @JeeveStobs
Not really
Masamune3210
commented
5 months ago Make sure your definitions are up to date. They may just not have pushed them out to the general release channel yet
DavidOsipov
commented
4 months ago Love how they do their business. @Masamune3210 @jxy-s @pokanoka
That is their response to my text:
If the driver is vulnerable and Avast hasn't sent the info to Microsoft and the devs of the driver, I'd like to know the details of the vulnerability in order to handle this data to the devs of the driver.
Masamune3210
commented
4 months ago I told you.
Brief description of your issue
Avast detects the SystemInformer driver as vulnerable and blocks it. Given that Avast, Norton, Avira, and AVG are all part of the Gen Digital conglomerate, this vulnerability issue might also extend to these other antivirus products.
Steps to reproduce (optional)
Expected behavior (optional)
No error screens and AV detections, the driver is working
Actual behavior (optional)
Avast detection screen
SystemInformer error
Environment (optional)
System Info
``` ------------------ System Information ------------------ Time of this report: 11/24/2023, 13:13:06 Machine name: --- Machine Id: {---} Operating System: Windows 11 Pro 64-bit (10.0, Build 22631) (22621.ni_release.220506-1250) Language: English (Regional Setting: Russian) System Manufacturer: HUAWEI System Model: KLVL-WXXW BIOS: 1.09 (type: UEFI) Processor: AMD Ryzen 5 5500U with Radeon Graphics (12 CPUs), ~2.1GHz Memory: 16384MB RAM Available OS Memory: 15722MB RAM Page File: 13224MB used, 8386MB available Windows Dir: C:\Windows DirectX Version: DirectX 12 DX Setup Parameters: Not found User DPI Setting: 144 DPI (150 percent) System DPI Setting: 144 DPI (150 percent) DWM DPI Scaling: UnKnown Miracast: Available, with HDCP Microsoft Graphics Hybrid: Not Supported DirectX Database Version: 1.4.7 DxDiag Version: 10.00.22621.0001 64bit Unicode ```AV:
Avast Premium Security 23.11.6090 - build 23.11.8635.809 Virus definitions - November 24, 2023 (version 23.11.23-12)