TH16116
Detected presence of software components that can bypass system security software.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | high | high | None | None |
About the issueโ
Software components sometimes need to interact with higher privilege parts of the operating system, often requiring administrative access to accomplish a task. Operating systems integrate first and third-party security solutions that can detect and block malicious code. For that reason, attackers often aim to bypass system security software. Disabling antivirus and other security software services enables malicious code to execute without being blocked. While the presence of code that interacts with system security software does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that can disable system security software. One example of acceptable use for such functions is allowing specialized applications to modify protected folders and settings.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1562.001 - Disable or Modify Tools.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1562.001 - Disable or Modify Tools (External resource - Mitre ATT&CK documentation)
- Computer security software (External resource - Wikipedia)