We are a cybersecurity team from China. Based on the report from ThreatDown, we investigated how Kaspersky tdsskiller can terminate processes of certain security software. We tested Symantec Endpoint Protection's defense against this exploit.
Test Results
- Effective Defense: When the tdsskiller file name is not modified, Symantec Endpoint Protection effectively defends against the exploit.
- Vulnerability Detected: By simply renaming the tdsskiller file, the Symantec Endpoint Protection service can be successfully terminated.
Hypothesis
- It appears that Symantec Endpoint Protection's SONAR rules are specially configured for the original tdsskiller file, but not for malicious behavior following its exploitation, resulting in a vulnerability.
Recommendation
- Update the SONAR rules to provide a "broad-spectrum" defense against this type of behavior, rather than targeting a specific tdsskiller file or process.
Attachment