Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

Rootkit Buster tool is plagued with "terrible code" designed to evade Microsoft’s WHQL driver certification

Trend Micro website displayed on a smartphone

Microsoft has blocked a free antivirus tool developed by Trend Micro after the security firm was accused of designing its driver to “cheat” hardware tests through coding trickery.

After reverse-engineering the ‘tmcomm’ driver, which sits at the heart of Trend Micro’s Rootkit Buster software, security researchers have blasted several aspects of the code. Not only were they able to run exploits, but they also ascertained how the software can circumvent hardware certification tests.

Microsoft’s has, by consequence, banned the Rootkit Buster from Windows 10, with researchers Bill Demirkapi and Alex Ionescu confirming the software can’t load on the latest version of Windows 10, dubbed 20H1. Trend Micro has also removed download links to the software from its website.

Rootkit Buster is a free tool released in 2018 that hunts down rootkits designed to evade detection by scanning hidden files, registry entries, processes, drives and the master boot record. The software also examines kernel code patches, operating system service hooks, file streams, ports, and services to identify and remove malicious rootkits.

The code at the heart of Rootkit Buster is not just “really, really bad”, however, but allocates memory in such a way that it only uses secure memory if it knows it's being watched by Microsoft’s Driver Verifier, according to research published by Demirkapi.

WHQL, of which Driver Verifier is a key component, is a procedure for certifying that hardware for peripherals and other components is compatible and works as expected with Windows operating systems. In passing the test, a driver is digitally verified and can even be potentially distributed through Windows Update.

The software performs checks for Driver Verifier, and can thus adapt to behave differently on systems running the examination. Therefore, the driver at the heart of Rootkit Buster can "cheat" these hardware examinations and gain WHQL certification.

To pass the test, any software must use memory from the operating system's no-execute non-paged pool, as a precaution. This is non-executable for the CPU, meaning if hackers manage to hide malicious code in the memory, by exploiting a security lapse in the code, for instance, then it’s extremely difficult to run.

Driver Verifier tests for whether drivers use non-executable memory in this way. When tmcomm runs on a machine with the test in play, it demands memory from the no-execute non-paged pool, as expected. When the test isn’t running, however, it requests memory from the executable non-paged pool. This would fail the WHQL standard.

“Passing Driver Verifier has been a long-time requirement of obtaining WHQL certification,” Demirkapi said in his research. 

“On Windows 10, Driver Verifier enforces that drivers do not allocate executable memory. Instead of complying with this requirement designed to secure Windows users, Trend Micro decided to ignore their user’s security and designed their driver to cheat any testing or debugging environment which would catch such violations.

“Honestly, I’m dumbfounded. I don’t understand why Trend Micro would go out of their way to cheat in these tests. Trend Micro could have just left the Windows 10 check, why would you even bother creating an explicit check for Driver Verifier?”

Trend Micro previously faced the ire of Apple in 2018 after Malwarebytes researchers spotted that six apps were needlessly exfiltrating data to a server in China. Trend Micro flatly denied the charges it was stealing user data.

IT Pro approached Trend Micro and Microsoft for a statement. 

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021