Comment by merb

4 years ago

well as said its an elevated process that can completly disable smartscreen, so an attacker would only need to run an exe that downloads another malicious exe after it disabled smartscreen that would not be blocked.

Imagine a program, WinSudo.exe. This program runs elevated, by magic. It passes its arguments to CreateProcess(). You call WinSudo.exe Virus.exe. Virus.exe execution is blocked by SmartScreen.

(This scenario is itself a security flaw that existed for some combinations of Windows system utilities, so this is a real concern.)

Now, you could change WinSudo.exe to disable SmartScreen, sure -- but this requires you to be able to modify WinSudo.exe (which should require Administrator), and the mismatched binary would ALSO flag SmartScreen.

  • well WinSudo.exe DisableSmartScreenAndCallVirus.exe Virus.exe might work if the first two are not smart screen detected yet. a simple program might not be detected by smartscreen yet.