Handout B: Antivirus Detection & Evasion Log

Windows antivirus alert log and security event timeline from the infected workstation. Shows initial detection followed by attacker disabling security controls.

---

Antivirus Alert Log

McAfee VirusScan Enterprise - Event Log
Infected System: RESEARCH-WKS-12 (James Miller, Materials Engineer)
Log Period: September 14-15, 2011

[2011-09-14 10:52:33] FILE_SCAN ALERT
  File: C:\Documents and Settings\jmiller\Desktop\composite_specs_v2.7.exe
  Detection: Generic.dx (Generic Malware Detected)
  Threat Level: HIGH
  Action Taken: File quarantined to C:\quarantine\
  McAfee Status: QUARANTINE SUCCESSFUL

[2011-09-14 10:52:45] USER_ALERT NOTIFICATION
  System Tray: [!] Threat Detected and Quarantined
  Message: "A high-risk file was detected and removed from your system.
            McAfee has quarantined the file: composite_specs_v2.7.exe"
  User Action: User clicks [OK] to dismiss notification

[2011-09-14 10:53:00] REGISTRY_MONITOR ALERT
  Process: explorer.exe
  Action: Attempting to modify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McShield
  Detection: Suspicious registry modification targeting antivirus service
  Status: BLOCKED by McAfee registry protection

[2011-09-14 10:53:15] FILE_MONITOR ALERT
  Process: Unknown (elevated privileges)
  Action: Attempting to delete C:\Program Files\McAfee\VirusScan\...
  Detection: Suspicious file deletion in antivirus directory
  Status: BLOCKED by McAfee file integrity monitoring

[2011-09-14 10:53:30] PROCESS_MONITOR ALERT
  Process: McShield.exe (McAfee VirusScan service monitor)
  Action: Process termination attempt from kernel mode
  Detection: Unauthorized process termination
  Status: FAILED - McShield service restarted automatically

[2011-09-14 10:54:00] SYSTEM EVENT: AV Service Status
  Service: McAfee VirusScan
  Status: RUNNING (Auto-restart enabled)
  Real-time Protection: ENABLED
  Last Detection: 1 minute ago

[2011-09-14 10:55:45] REGISTRY_MONITOR ALERT
  Process: svchost.exe (compromised)
  Action: Disabling Windows Security Center notifications
  Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
  Value Modified: AntiVirusDisableNotify = 1
  Status: MODIFIED SUCCESSFULLY (kernel-level privilege)

[2011-09-14 10:56:00] CRITICAL: AV SERVICE DISABLED
  McAfee Real-time Protection: OFF
  Status Update: McAfee VirusScan service stopped and set to DISABLED
  Reason: Windows Service Management (kernel-level modification)
  Recovery Attempt: Failed - Service cannot be restarted (startup disabled)

[2011-09-14 10:56:15] FINAL LOG ENTRY
  Status: All antivirus protection DISABLED
  Reason: Poison Ivy RAT gained kernel-level access
  Next Steps: No further antivirus logging possible
  [LOG TERMINATED]

IM NOTES (Do Not Show to Players): Critical security failures:

1. Initial Detection Success: McAfee correctly identified and quarantined the Poison Ivy executable. This should have stopped the attack.

2. User Dismisses Alert: The user clicks “OK” on the quarantine notification without investigating further. In many organizations, users ignore antivirus alerts because false positives are common.

3. Attacker Persistence: Even though the initial file was quarantined, the malware likely launched another copy before being detected (polymorphic behavior).

4. Privilege Escalation: Poison Ivy escalates from user-level to kernel-level access, allowing it to bypass user-level AV protections.

5. AV Evasion: The attacker systematically disables each layer of defense:

   • First attempts to modify McAfee registry settings (blocked)
   • Then attempts to delete McAfee files (blocked)
   • Then attempts to terminate McAfee processes (blocked)
   • Finally modifies Windows Security Center settings (succeeds)
   • Finally disables McAfee service startup (succeeds)

6. Kernel-Level Control: At kernel level, the attacker can bypass any user-space protection. This is why the final steps succeed while earlier attempts failed.

This is the documented pattern in Nitro Attacks: AV detection happened, but the compromised system already had malware running, and the attacker used kernel-level access to disable further protection.

---

Timeline: Detection vs. Compromise

Timeline Analysis: Race Between Detection and Compromise

T+0s    [INFECTION] User clicks on composite_specs_v2.7.exe
        → File executes
        → Poison Ivy malware begins installation
        → Initial beacon to C2 server: 202.165.127.43:25655

T+30s   [DETECTION] McAfee quarantines the original .exe file
        → Detection: "Generic.dx"
        → Quarantine location: C:\quarantine\
        → Problem: By this time, malware code is already running
        → File quarantine doesn't stop running processes

T+45s   [ESCALATION] Poison Ivy escalates from user privilege to SYSTEM privilege
        → Uses local privilege escalation exploit (likely Windows kernel vuln)
        → Now running with kernel-level access
        → Can bypass all user-space security measures

T+60s   [EVASION] Attacker disables Windows Security Center notifications
        → Registry modification: AntiVirusDisableNotify = 1
        → User no longer sees antivirus alerts
        → User doesn't realize system is compromised

T+90s   [FAILURE] Antivirus service is disabled
        → McAfee VirusScan service stopped
        → Real-time protection turned off
        → Service startup set to DISABLED
        → Antivirus cannot restart automatically
        → System now has zero malware protection

T+120s  [SUCCESS] Poison Ivy establishes persistent backdoor
        → Keylogger active (capturing all keystrokes including passwords)
        → Screen capture enabled (attacker sees everything user sees)
        → Remote access established (attacker has full control)
        → Credentials harvested from browser cache
        → System fully compromised despite initial AV detection

Conclusion: Quarantining the initial file FAILED to prevent compromise
            because the malware was already executing.
            User-space protections could not contain kernel-level malware.

IM NOTES (Do Not Show to Players): This is a critical insight into modern malware defense:

1. Quarantine Limitation: File quarantine only works if executed BEFORE the file runs. Once the process is executing, quarantine cannot stop it.

2. Race Condition: Antivirus and attacker are in a race. AV tries to detect and stop; attacker tries to escalate privileges before AV can act. In this case, the attacker wins.

3. Kernel Escape: The moment the attacker reaches kernel-level execution, all user-space protections become useless. The attacker has more control than the operating system itself.

4. Detection vs. Prevention: This demonstrates why detection is not the same as prevention. Even with successful detection and quarantine, the compromise had already succeeded.

5. Defense Layers Needed: A single antivirus product cannot stop determined attackers. Needed:

   • Behavioral monitoring (catching unusual process activity)
   • Network monitoring (detecting C2 connections)
   • Endpoint Detection & Response (EDR) with kernel-level monitoring
   • Incident response capability

---

Key Discovery Questions

• Why did antivirus quarantine the file but fail to prevent compromise?

Quarantine acts on files, not processes. The file was identified and quarantined, but the malware code was already executing. User-space antivirus couldn’t stop kernel-level operations.

• What would have prevented the AV from being disabled?

1. BIOS-level security: Kernel Patch Protection (KPP) in modern Windows prevents unauthorized kernel modifications
2. Behavioral monitoring: Detect when AV services are being disabled
3. Host-based Intrusion Prevention: Block process termination attempts
4. EDR solutions: Detect suspicious process chains and kernel access
5. Segmentation: Don’t allow arbitrary user systems to run kernel code

But: Traditional antivirus alone cannot protect against this.

• How would you know the system was compromised if AV alerts were disabled?

1. Network monitoring: Unexpected outbound connections to 202.165.127.43
2. Behavioral monitoring: Unusual process creation, file access, registry changes
3. User reports: System slowness, unusual activity
4. Endpoint Detection & Response (EDR): Detects Poison Ivy-specific behaviors
5. Disk forensics: Evidence of Poison Ivy installation on disk

Without EDR or network monitoring, the compromise might have gone undetected for weeks.

IM Facilitation Notes

This handout shows:

• Limits of traditional antivirus detection
• Importance of kernel-level security
• How attackers disable security controls
• Need for defense-in-depth approach
• Behavioral monitoring vs. signature-based detection