A single NULL character could hide malware from Windows 10 antivirus

Share this…

Microsoft has worked hard to create and implement new security measures, from anti-exploit shields that prevent the exploitation of vulnerabilities, to the new Microsoft anti-malware engine capable of protecting from computer threats that can put our system at risk without needing another additional antivirus, with Windows Defender. However, this antivirus engine like many others has vulnerabilities, commented a data security expert.

Just last December, Microsoft announced the release of an important security patch to fix vulnerabilities in the Windows 10 anti-malware engine.

windows 10

Now, a new vulnerability related to its anti-malware software was discovered in the latest version of its operating system. On this occasion, the vulnerability lies in the Anti-Malware Scan Interface (AMSI) component of Windows 10.

The AMSI module allows an application to send any file to be scanned with a local antivirus and receives the results once analyzed. Although this tool can be used to analyze any type of file, Microsoft designed it especially thinking of analyzing PowerShell, VBScript and Ruby type scripts, which can easily include functions to evade conventional antivirus analysis systems.

Anti-Malware Scan Interface stops scanning a script after a NULL character.

As cyber security researchers have shown, the vulnerability in Windows Defender finds that this scanning engine starts to analyze any file or script but, when it encounters a NULL character, the scanning engine stops analyzing the script, giving it for good.

NULL jpgg

In this way, hackers could hide all the malicious code below this NULL character so that, even if the script is analyzed, the malicious code goes unnoticed and is not detected.

Microsoft was already aware of this vulnerability, and therefore, with the release of the last security patches last week, the company addressed and solved the vulnerability described above.

Therefore, to protect ourselves from this vulnerability, what we must do is make sure that our Windows 10 is updated with the latest available security patches, specifically the security patches of February 2018.

In addition, data security professionals recommend that the engineers of the main antivirus market review their security systems to verify that, like Microsoft’s anti-malware, they do not stop analyzing scripts after arriving at a NULL character.