Weakness in EDR Tools Lets Attackers Push Malware Past Them

Weakness in EDR Tools Lets Attackers Push Malware Past Them
A technique called hooking used by most endpoint detection and response products to monitor running processes can be abused, new research shows.

A fundamental weakness in the way almost all endpoint detection and response (EDR) systems work gives attackers an opening to sneak malware past them.


Fixing the issue is not going to be easy, requiring a substantial overhaul of most current EDR systems on the market, Optiv said in a report this week.


EDR products are designed to detect and respond to suspicious behaviors and attacks on endpoint devices. Most combine signature-based malware detection with heuristic analysis, sandboxing, and other techniques to spot and block threats. The technology allows security teams to quickly isolate compromised systems and collect endpoint logs and other threat indicators to facilitate remediation.


One technique many EDR products use to detect suspicious activity and gather information for behavior-based analytics is called "hooking." Matthew Eidelberg, technical manager at Optiv, describes hooking as a technique for monitoring computer programs as they run. The hooks are placed at a System Call (syscall) interface, which allows a running process to interact with the operating system to request services, such as allocating memory, or to create a file.


"Many EDR products place these hooks at a point of program execution that users have access to so they have permissions to remove or completely bypass them," Eidelberg says.


The hooks give EDR agents on endpoint devices a way to monitor all running processes and look for any changes to those processes. The EDR agent passes data gathered via hooking to the EDR vendor's platform for further analysis.


The problem is that because the hooks are placed in user space, everything in a process' memory space when the process ..

Support the originator by clicking the read the rest link below.