Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Analysis Report
Software Restriction Policy: A/V Disable
(U) Analysis
(U) The effectiveness of using a Software Restriction Policy (SRP) to disable an Anti-Virus
product was tested on Windows 7 64-bit. In order to present a controlled environment, a recent
pull of mimikatz from GitHub was copied immediately after installation of the specified Anti-
Virus product to ensure it was detected. Following this, various SRPs were enabled. The results
for each of the tested Anti-Virus products can be found below.
(U) At the conclusion of Windows 7 testing, Windows 8 (and later) were not selected for
additional testing due to the presence of Early Launch Anti-Malware (ELAM) and the lack of
success on Windows 7. These two factors make it exceedingly unlikely that any later version of
Windows will produce desired results.
(U) Kaspersky
(U) Kaspersky version 15.0.2.361 was used for testing. After installation, Kaspersky successfully
detected and cleaned mimikatz with no SRP in effect.
(U) Attempting to enable an SRP on any of the Kaspersky files or the Kaspersky parent folder
failed with an “Access Denied” error. Targeting individual files (e.g., avp.exe and avpui.exe)
with a hash based SRP does allow the software restriction policy to be applied.
(U) After enabling the hash-based SRP, Kaspersky doesn’t alert the user to the potential of a
virus, but does prevent the files from being copied to local disk nonetheless. Disabling only
avp.exe, but not avpui.exe effectively does absolutely nothing as the files are prevented from
being copied to the desktop while simultaneously alerting the user to their presence.
(U) Avira
(U) Does not detect mimikatz
(U) AVG
(U) Does not detect mimikatz
(U) Microsoft Security Essentials
(U) After installation of Microsoft Successfully Essentials (MSE) and installation of the most
recent definitions, MSE detected and cleaned mimikatz with no SRP in effect.
(U) A SRP on the individual files or the parent folders was successfully applied without error.
Despite this, the SRP did not stop MSE from running. In fact, the inverse happened and MSE
even detected the attempt to use SRP against it as Win32/MpTamperSrp.A.
(U) Recommendations
Raytheon Blackbird Technologies, Inc.
3
26 June 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh