Agnitum Outpost Security Suite proactive protection bypass in 2 lines

I have already stated this before and even shared a video demonstration, but without disclosing details. Unfortunately, the Developer scored a bolt and did not respond to my letter about the problem (my appeal was registered on October 2, 2012 under the number sb-ru-02-121000048-t ). So I decided to show all the technical details. The following video demonstration was first shown at ZeroNights 2012 as part of the zeroday show.

Prehistory

Such vulnerabilities are often found randomly. My case is no exception. Once at 12 o'clock in the morning, at the full moon I set myself Outpost Security Suite and set up a proactive for the maximum mode. In this mode, even the inserted new flash drive in the system will not be mounted until you allow multiple actions in the pop-up windows of the antivirus. Once when inserting a new flash drive, as usual, a pop-up window appeared from the antivirus, but I did not give consent to the installation. In the usual way, he blocked the computer (Win + L keys), having left it for several minutes. What was my surprise when I returned, I found out that the flash drive was still mounted in the system! This is where the fun began ...

The essence of the problem

')
In the learning mode, Outpost's proactive protection, when it detects a suspicious program activity, requests actions from the user. But if after outputting such a dialog message, Lock is done (what happens when you press the Win + L keys), for an antivirus this is equivalent to resolution.

Automation of this process can be represented by such a 2-line bat file:

start 1.exe
ping 127.0.0.1 -n 10 -w 10000 > NULL & rundll32.exe user32.dll,LockWorkStation

Ping is needed here for the delay ( although there is a more elegant solution ), after which the Lock command ( rundll32.exe user32.dll,LockWorkStation ) will be rundll32.exe user32.dll,LockWorkStation .
Ie run the file 1.exe, wait a few seconds (so that the antivirus displays the window) and execute Lock.
Moreover, with Lock, you can see how the antivirus icon changes from blue to green. This means that it goes from the training mode to the permission mode (all that is not prohibited is allowed). That weakens the security system. For example, programs that are clearly not forbidden to go online will now go. After logging in, the icon changes to blue again. ( UPD : It was in the old versions (6.0) In the latest versions it goes into the lock mode, which does not weaken the protection at all. Thanks to Andersen for commenting on this )

Demonstration

The essence of the demonstration:

1. We check that there is no test test service service in the system (we try to stop it, to which the system responds that there is no such service)
2. Run the bat file (which will start the service installer)
3. Through DebugViewer, we can see that the driver started AFTER the system lock, and not before
4. Again we are trying to stop the “test test service” service. This time successfully.

The following versions of Agnitum Outpost Security Suite are tested for vulnerability:

1. 7.5.3 (3942.608.1810)
2. 7.6 (3984.693.1842)

Upd (12/18/2012) the manufacturer fixed the vulnerability in version 8.0 (4164.652.1856) of December 17, 2012