New bypass disclosed in Microsoft PatchGuard (KPP) After GhostHook and InfinityHook, we now have ByePg. No patch out yet November 22, 2019 https://www.zdnet.com/article/new-bypass-disclosed-in-microsoft-patchguard-kpp/ ByePg: Defeating Patchguard Using Exception-Hooking
Interesting stuff, and this should be patched by M$ as soon as possible. Because we don't want to end up with the same rootkit mess as on Win XP. If malware can take control of the kernel, there aren't many security tools that will be able to stop them.
That's a no brainer, but what if you are tricked into installing malware? That's the whole point of behavior blocking, you block dangerous behavior from apps that are already running in memory. The problem is that most BB's can't stop malware from modifying the kernel, you need PatchGuard for this. So M$ shouldn't downplay such problems.
Correct, but you can still get tricked. Remember about the CCleaner incident? In thoery, they could have included malware that could bypass KPP, and then it's a whole different ball game.
Thanks for this quotation. I have know this from general overview how Windows works and common sense, but I have never seen stated that so clearly by Microsoft itself.
