cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Windows 10 Store 'wsreset' tool bypass antivirus

Hi Team,

Security researchers have discovered a technique that exploits Windows 10 Microsoft Store called 'wsreset.exe' which can delete bypass antivirus protection on a host without being detected

I would like to know if we are covered with the current security controls to detect this defense evasion technique. Or do you recommend to create an expert rule to detect the execution of wsreset.exe?

Reference: hxxp[:]//daniels-it-blog.blogspot[.]com/2020/07/arbitrary-file-delete-via-wsresetexe.html

Thanks in advance!

6 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Windows 10 Store 'wsreset' tool bypass antivirus

Hello,

I checked the detection of "wsreset.exe" on virus total but non of the Antivirus vendors are detecting the file as this is a known good file of windows.

Refer Virus total link: https://www.virustotal.com/gui/file/ac5b4cc77a211519ae689c91f9a9fa979ba05c5ab5e0b87f2f3c7de5304afa74...

So if you are not using (windows stores)"wsreset.exe" in your environment you can block execution of the file so that it will not give an opportunity to hackers to run their codes.

You can refer below link on how to create Access protection rule to block execution of the "wsreset.exe"
Configure user-defined Access Protection rules
https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orch...

Follow the below screenshot on how to create an Access protection rule to block the execution of exe file.

01_.PNG02_.PNG03_.PNG04_.PNG05_.PNG06_.PNG07_.PNG

 

 

Step 15: Click on save

Step 16: Click on save

Step 17: Click on save

 

Then check whether your rule is added to the policy or not.

Let us know if this helps or if you have any questions.

Regards,
Daya
Highlighted

Re: Windows 10 Store 'wsreset' tool bypass antivirus

Hi Daya,

I'd like to have a proper solution for the issue.

Does Self Protection at least work this out and prevent McAfee files and folders from being deleted by wsreset.exe?

Thanks in advance!

Regards,

Daniel

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Windows 10 Store 'wsreset' tool bypass antivirus

Hello Daniel,

Yes, self-protection is for the McAfee process and files, that is because malware will always try to stop anti-virus software and then tries to do malicious things on the system.

Let me know if you have any queries.

 

 

 

 

 

 

 

Regards,
Daya
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: Windows 10 Store 'wsreset' tool bypass antivirus

Hi @Daniel_GFI 

Though I do not have the means to test this personally at the moment, purely based on the scenario described in the reference you provided I can say that Self Protection at a minimum should have no issue blocking this.

The antivirus software used in the PoC on that link appears to have simply used NTFS permissions as protection for their files, whereas we use a kernel mode driver to accomplish that task. Just as an administrative user on a machine cannot bypass self protection, a regular user exploiting an auto-elevating process should also not be able to bypass self protection.

Thank you,
Mitchell Buehler

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: Windows 10 Store 'wsreset' tool bypass antivirus

Hi Mitchell,

Thanks for the detailed explanation regarding the rights. Sounds convincing.

Hopefully there will join a way to prevent deleting other files using wsreset.exe aswell.

Regards,

Daniel

Highlighted

Re: Windows 10 Store 'wsreset' tool bypass antivirus

I have created below expert rule in Exploit prevention to block the wsreset.exe file deleting McAfee content files.

Rule {
Process {
Include OBJECT_NAME {
-v wsreset.exe
}
}
Target {
Match FILE {
Include OBJECT_NAME -type PATH {
-v "C:\\ProgramData\\McAfee\\**"
}
Include -access "DELETE"
}
}
}

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community