News Releases

enSilo Reveals Evasive Attack Technique Bypassing Antivirus (AV) and Next Generation Antivirus (NGAV) Prevention Defenses at Black Hat Europe
Stealthy "Doppelgänging" attack can make even known malware invisible to market-leading AV and NGAV security products by abusing how Microsoft Windows file systems handle transaction features

LONDON, Dec. 7, 2017 /PRNewswire/ -- enSilo, the company that protects endpoints pre- and post-infection and stops data breaches in real time, today released high-profile cybersecurity research at Black Hat Europe revealing how cybercriminals can take advantage of Microsoft Windows features to slip malicious ransomware and other threats past most updated, market-leading AV and NGAV security products protecting corporate laptops, servers and other sensitive devices.

In their presentation, "Lost in Transaction: Process Doppelgänging," enSilo researchers Eugene Kogan and Tal Liberman demonstrated how to conceal malicious activity deep at the operating system level by manipulating how Windows handles file transactions. By passing off malicious actions as benign, legitimate processes, Kogan and Liberman found a potent way for even relatively less-sophisticated attackers to give new life to malicious code threats well-known to security vendors. Once cloaked with "Process Doppelgänging," these threats can impact the latest versions of Windows protected with fully-updated AV and NGAV security products, where malware payloads can proceed to ransom files, capture keystrokes or steal priceless data.

enSilo's Black Hat Europe research is available for download here. Additionally, interested viewers can register to attend a free, public webinar on Process Doppelgänging with Liberman, where he will provide a walk-through of threats and defenses.

In addition to blinding Windows' embedded defense mechanisms and third-party AV and NGAV security products to incoming threats, Process Doppelgänging gives attackers the further advantage of leaving no traceable evidence behind - making this type of intrusion extremely difficult to detect after the fact with the latest forensic techniques.

enSilo customers are already protected from Process Doppelgänging in the wild, via enSilo's proven pre and post infection endpoint security platform combining automated, blocking-enabled Endpoint Detection and Response (EDR) capabilities with Threat Hunting, Incident Response, and Virtual Patching features. enSilo's integrated approach sees and arrests attacks impersonating legitimate Windows processes, affording users additional peace of mind - instead of the uncertainty and management burdens of relying on multiple, piecemeal endpoint protection tools.

"The 'Process Doppelgänging' attack method we discovered leverages several complex mechanisms in Windows operating systems and intimate knowledge of the inner-workings of AVs' file scanning engines. Putting all this together allows masquerading a malicious executable as legitimate, bypassing all tested security products," Liberman explained. "This is another example of how a few subtle manipulations of code, based on deep insight into the operating system internals, are all that is required to upend many layered detection and traditional prevention defenses," Kogan added. "Our research shows that even the latest protections can be negated by an attacker's creative bid to skip a malicious file payload altogether and infiltrate dangerous content through Windows' intricacies."

Kogan and Liberman's selection to present at Black Hat Europe is the latest recognition given to enSilo's renowned team of security researchers working tirelessly to defend customers and the wider security community from evolving threats. enSilo has earned recognition for high-profile work uncovering security risks with major operating systems and novel attack methods. This includes offering an independent patch for Windows' ESTEEMAUDIT remote desktop protocol vulnerability, detailing "AtomBombing" attacks that inject malicious code through Windows atom tables and revealing how attackers can hijack anti-virus products' own features to defeat security measures.

About enSilo
enSilo comprehensively secures the endpoint pre- and post-infection. enSilo automates and orchestrates detection, prevention and real-time response against advanced malware and ransomware without burdening cybersecurity staff. enSilo's single lightweight agent includes next generation antivirus (NGAV), application communication control, automated endpoint detection and response (EDR) with real-time blocking, threat hunting, incident response and virtual patching capabilities. Coupled with a patented approach that has full system visibility, enSilo's endpoint security solution stops modern malware with a high degree of precision and intuitive user interface. Cybersecurity staff with enSilo can effectively manage malware threats without alert fatigue, excessive dwell time or breach anxiety. enSilo's cloud management platform is flexible and extensible to meet operational needs that stop malware impact. For more information please visit



For further information: