Sandboxing anti-malware products for fun and profit

Elastic researchers enjoy finding new means for users to protect their organizations against attack. Recently, the Elastic Security team identified an unpatched Windows flaw in the Windows Protected Process Light (PPL) mechanism that lets malware disable security products, and incorporated a fix into Elastic Security to protect our users.

In our full analysis, the team summarizes what Windows protected anti-malware services include, and how both sandboxing and access tokens can operate in a Windows environment. The author, Gabriel Landau, provides detailed insight into the way tokens can be leveraged by hackers to penetrate and evade Windows-based systems. The article also includes a recorded demonstration showing exactly how sandboxing can quietly incapacitate anti-malware products.

Landau’s analysis also goes into depth about how anti-malware vendors can defend themselves against this exposure with an obscure Windows feature called trusted labels.

To find threats like malware and ransomware in your environment, install the latest version of Elastic Security, and be sure to take advantage of our quick start training to set yourself up for success.

If you’re new to Elastic Cloud, you can always get started for free with a free 14-day trial of Elastic Cloud or download the self-managed version of the Elastic Stack for free.

Happy hunting!