Windows and antivirus programs have a blind spot. Windows and antivirus protection can be bypassed using VHD and VHDX disk images.
According to experts, the files located there will not be scanned until the image is mounted and the files are launched.The VHD format and its more modern version of VHDX are disk images that behave like physical media. Attackers can place a malicious program inside such images and trick the victim into downloading them.
As a result, according to experts, attackers will be able to circumvent security solutions in Windows. Security researcher and vulnerability specialist Will Dormann, who works in CERT/CC., reported this information.
It is known that the Windows operating system can distinguish the degree of danger of data based on its source.
“Physically plugging in a USB mass storage device with a corrupted file system was the obvious attack vector. However, many security concepts are negated when physical access to a system is granted. VHD and VHDX files eliminate the requirement for physical access to a victim system. If a user simply double-clicks on a VHD or VHDX file that contains a specially crafted file system, they risk crashing Windows”, — explains Will Dormann.
Usually, everything that is downloaded from the Internet is suspicious for Windows, since it is highly likely that malicious content will be downloaded.
The OS marks such files with the Mark of the Web (MOTW) label, this helps to give them limited rights to computer resources. In such cases, users see a special warning about the potential risk of launching files received from the Web.
MOTW is assigned to all files downloaded from the Internet, including archives: Nevertheless, the same principle for some reason does not apply to VHD and VHDX image files, although they behave similarly to ZIP archives.
“Any file inside VHD and VHDX will not be regarded by Windows as a potential threat, as it happens with other types of files downloaded from the Web”, — the expert explains.
The specialist posted a video to demonstrate his findings:
VHD/VHDX Files and Antivirus
Researchers has found no evidence that any currently deployed antivirus software will scan the files contained within a VHD or VHDX file. However, for those running an enterprise, the lack of the ability to scan these files leaves a blind spot for certain files until they arrive at the endpoint. If the contents of VHD and VHDX files are not scanned by email and web gateway security products, those products have no hope of detecting malware contained within VHD or VHDX files.