Sense of Security is one of Australia’s most trusted providers of cyber resilience, information security and risk management services.

Latest announcements
© Copyright Sense of Security

Security Advisory – SOS-17-001 – Emsisoft Anti-Malware Behavior Blocker Bypass

Release Date: 10-Feb-2017

Last Update:

Vendor Notification Date: 20-Jan-2017

Product: Emsisoft Anti-Malware

Platform: Microsoft Windows 8/8.1/10

Affected versions: a2hooks32.dll

Severity Rating: Medium

Impact: Security bypass

Attack Vector: From local system

Solution Status: Vendor patch

CVE reference: Not yet assigned


Emsisoft Anti-Malware injects user mode hooks into each running process via a2hooks32.dll. The hooks allow Emsisoft Anti-Malware to analyse the behaviour of the process and alert the user when malware actions are suspected, such as listening on a port or interacting with other processes.

The issue exists in the dynamic library a2hooks32.dll as it can be unloaded from memory without alerting the user. A malware developer can unload the hooks to bypass the Behavior Blocker.

Please refer to the PDF version of this advisory  for proof of concept code examples.


Emsisoft fixed the issue in the latest version by making the hooks DLL statically linked.

Discovered By

Ayman Sagy from Sense of Security Labs.

Our expert consultants are here to help you. For all your Cyber Security needs please contact us today.

No Comments

Sorry, the comment form is closed at this time.