Windows 10: Tricking antivirus solutions into deleting the wrong files on Windows

Security research Or Yair discovered a method to trick antivirus and endpoint security solutions into deleting legitimate files on Windows systems. Yair found out that he could manipulate endpoint detection and response and antivirus programs so that these programs would function as data wipers on Windows devices.


Prompt for Reboot. Source: SafeBreach Labs

The discovered security issue can be exploited from unprivileged user accounts to delete system files and other files the user has no delete permissions for. The exploit could be used to remove important files from a system and this could result in an unbootable system or a system that lacks certain functionality.

Classified as a data wiper, a class of malware designed to erase data on computer systems, its main purpose is destruction. Wipers are commonly used in cyber warfare, often to support physical aggression or to target the enemy's infrastructure.

Wipers need to bypass certain protections, including those provided by a user permission system but also defenses that are in place to protect against unauthorized deletions of files. Additionally, to make sure that files can't be recovered, wipers need to overwrite file contents.

Endpoint security and antivirus solutions would make excellent file wipers, if security issues could be exploited to use their privileges and capabilities. Yair had several ideas in this regard, but most were not practicable. Some required elevated privileges, others write access to the files in question.

The main idea that he came up with was to create a malicious file in a temporary directory, and to redirect it to an important file on the system between the time the security solution detected the threat and deleted it. This method did not work out as planned initially, as some security solutions prevented access to detected files while others detected the deletion of the file and dismissed the pending action.

Yair's solution was to keep the file open, so that it could not be deleted by the security solutions right away. The security programs would prompt for a reboot in that case so that the malicious file could be accessed and deleted. Files are added to a specific key in the Registry, so that Windows knows what to delete during the boot phase. Yair discovered that the deletion process would follow junctions, created to point the delete operation to a legitimate file.

In other words, all it took to delete legitimate files on Windows was the following:

1. Create a malicious file on the system using a special path.
2. Hold it open so that security solutions can't delete it.
3. Delete the directory.
4. Create a junction that points from the deleted directory to another.
5. Reboot.

Yair tested 11 different security and endpoint solutions. Six of these were vulnerable to the file wiping exploit, including Microsoft Defender, Microsoft Defender for Endpoint, Avast Antivirus, SentinelOne EDR and TrendMicro Apex One. Microsoft, TrendMicro and Avast/AVG released updates already to address the issue.

Now You: which security solution(s) do you use? (via Bleeping Computer)

Thank you for being a Ghacks reader. The post Tricking antivirus solutions into deleting the wrong files on Windows appeared first on gHacks Technology News.

read more...

 

windows 10 deleted my desktop files

Step 1 - I upgraded to Win 10 and lost all my files on Desktop.

Step 2 - Found the files in Network - USers- Desktop

copied all files again to desktop.

Step 3- Restarted my machine again and lost desktop files again.

Step 4 - As suggested did the following as listed below but dont find my files.

• Press “Windows + E”, open This PC/Computer
• Open Local Disc C, open Windows.old
• Click on Users, select your User name
• Go to desktop folder

Cant find my files. Why is Win 10 deleted files again and again from Desktop ?.

 

C windows installer folder - Delete?

He can do symbolic link redirection and move the files in it to a different location. *Wink
Better try it out in a virtual of first. Just a suggestion.

Like:
First move everything in c:\windows\installer to d:\installercache
Then delete c:\windows\installer folder
Then type this in command mode as admin
mklink /d c:\windows\installer d:\installercache

Removing those installer files is a bad idea. it might prevent you from updating or uninstalling apps.

 

deleting hard drive files

Hi,

May we know what type of file are you trying to delete? Would it be Office documents, media files, or picture files? If you're trying to delete files for free some space on your device. We suggest to perform a Disc Cleanup. Kindly follow the steps below to
perform the task:

• Type in Cortana Disc Cleanup
  
• Choose the files to delete
  
• Click on "Clean up system files"
  
• Click on Ok
  

For any concerns, don't hesitate to get back to us.

Regards.