Is Kaspersky effective against process hollowing and malicious code injection that allows malware to perform functions without detection? If not, is there a solution for this?
Kaspersky internet security has trusted application mode , if enabled allows only verified application to run, hope this helps
For starters, there are many different ways to perform process hollowing. You can read about a few of the techniques here: http://journeyintoir.blogspot.com/2015/02/process-hollowing-meets-cuckoo-sandbox.html . Whether a given security solution can prevent any or all of the process hollowing methods that can be employed can only be determined by testing each one against the security solution. That said, someone here: http://www.rohitab.com/discuss/topic/41106-kaspersky-2015-process-injection-detection/ tried a few basic process hollowing methods and Kaspersky immediately blocked them. The specific API's Kaspersky detected in this instance were: NtQueueApcThread - to set the shellcode entrypoint for launch NtSetContextThread - to change thread EIP - Detected! NtSetContextThread - to change EAX to shellcode entry point (EAX holds module entry point in RtlUserThreadStart) - Detected! NtWriteVirtualMemory - to overwrite opcodes at EIP - Detected! (any write to the process is detected). So it appears Kaspersky has above average detection of process memory modification.
that feature doesn't help in this case, because the whole idea of process hollowing is that the malware appears to your AV as if it is a trusted process. It gets inside the trusted process, and hijacks it, inheriting its permissions. That is why whitelisting will not protect against process hollowing.
In theory, TAM can be still be effective against process hollowing. It depends on the programs it protects, though. In Kaspersky's white paper about TAM, TAM implements "security corridor" on protected programs. This means that Kaspersky wouldn't allow these programs to do anything that they are not supposed to do. This is similar to the MemoryGuard of AppGuard. But, still, there are programs that Kaspersky won't protect with TAM. Examples are Pale Moon and Cyberfox. You will know about this because if TAM is enabled, you'll see two additional folders under Application Control categories. I think they are called "Control created programs" and "Additionally controlled". I'm not sure about the names, though, because I disabled TAM.
