TH16115
Detected presence of software components that can tamper with the system security software.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Software components sometimes need to interact with higher privilege parts of the operating system, often requiring administrative access to accomplish a task. Operating systems integrate first and third-party security solutions that can detect and block malicious code. For that reason, attackers often aim to tamper with system security software. Changing antivirus and other security software service settings may enable malicious code to execute without being blocked. While the presence of code that tampers with system security software does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that can temporarily disable system security features. One example of acceptable use for such functions is allowing specialized applications to modify protected folders and settings.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1562.001 - Disable or Modify Tools.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1562.001 - Disable or Modify Tools (External resource - Mitre ATT&CK documentation)
- Computer security software (External resource - Wikipedia)