Release Date: 10-Feb-2017

Last Update: –

Vendor Notification Date: 20-Jan-2017

Product: Emsisoft Anti-Malware

Platform: Microsoft Windows 8/8.1/10

Affected versions: a2hooks32.dll 10.0.0.218

Severity Rating: Medium

Impact: Security bypass

Attack Vector: From local system

Solution Status: Vendor patch

CVE reference: Not yet assigned

Details

Emsisoft Anti-Malware injects user mode hooks into each running process via a2hooks32.dll. The hooks allow Emsisoft Anti-Malware to analyse the behaviour of the process and alert the user when malware actions are suspected, such as listening on a port or interacting with other processes.

The issue exists in the dynamic library a2hooks32.dll as it can be unloaded from memory without alerting the user. A malware developer can unload the hooks to bypass the Behavior Blocker.

Please refer to the PDF version of this advisory  for proof of concept code examples.

Solution

Emsisoft fixed the issue in the latest version by making the hooks DLL statically linked.

Discovered By

Ayman Sagy from Sense of Security Labs.