Updated Microsoft has blocked a Trend Micro driver from running on Windows 10 – and Trend has withdrawn downloads of its rootkit detector that uses the driver – after the code appeared to game Redmond's QA tests.
Late last week, Trend removed downloads of its Rootkit Buster from its website. And last night it emerged the kernel-level driver at the heart of the software,
tmcomm.sys, was added to Windows 10 20H1's list of blocked drivers – preventing it from loading and Rootkit Buster from running.
Windows internals guru and CrowdStrike veep Alex Ionescu discovered the blockade, and highlighted it on Twitter, while investigating research by computer security undergrad Bill Demirkapi that revealed not only shortcomings in the driver's code but also an effort to detect Microsoft's QA test suite.
Passing these tests is highly desirable: if a driver meets the grade, it can be digitally signed by Microsoft, is trusted by Windows, and potentially can be distributed via Windows Update and similar mechanisms.
One of the requirements is that, for security reasons, the driver requests memory only from the operating system's non-executable non-paged pool of available RAM. By doing this, exploits that attempt to run malicious code injected into a driver's memory via a vulnerability are hampered.
If the Trend Micro driver detects it's running on a computer undergoing WHQL testing, it requests from this specific non-executable pool as expected. However, if it doesn't detect the presence of Microsoft's driver verifier software, it draws from the executable non-paged pool, which is insecure and would cause it to fail the certification test. It is not clear why Trend's software does this; it may be because using the non-executable pool triggers bugs within its code.
The Register has verified Demirkapi's findings by reverse-engineering the driver code, specifically version 22.214.171.1240 that shipped with Rootkit Buster.
By default, it sets a variable at
0x18005aa4c to zero. This variable holds the pool type: zero being the executable non-paged pool. This variable is passed to the kernel whenever the driver allocates memory. Thus, the driver by default allocates from the executable non-paged pool, which would fail the certification test.
0x180030b23 checks the value of the registry key
VerifyDriverLevel, which indicates whether Microsoft's driver certification test is running. If it cannot detect the verifier, it returns the value zero.
0x180035efa, the driver checks to see if it is running on Windows 10 or higher, and if
IsVerifierCodeCheckFlagOn() returns a non-zero result, meaning the verifier was detected. If it was detected, and we're on Windows 10 or higher, the pool type variable is changed to 512 (
0x200), which is the identifier for the non-executable non-paged pool. Thus all subsequent allocations are made from the non-executable pool, aka the
NonPagedPoolNx, as expected by the verifier.
Otherwise, the driver continues using its default: the executable non-paged pool, which is against Microsoft's rules.
Reconstructed C from driver's machine code by Hopper, showing the check for Windows 10, or higher, and the verifier detection call. If successful, it changes the pool type for the driver to 0x200, or 512, which is the non-executable pool. By default, it uses the executable pool ... Click to enlarge
We note that while the driver appears in other Trend Micro products, they may not necessarily be using the now-blocked driver, or may have received a suitable hot fix, and thus will continue working on Windows 10 20H1.
Trend Micro has ignored our repeated requests for an explanation as to why its software altered its operation specifically while under test, though it insisted "at no time was the Trend Micro team avoiding certification requirements." A spokesperson for Trend was not available for immediate comment on the move to block the driver on Windows 10.
Before the weekend, and after we noticed the Rootkit Buster software had disappeared from its website, a Trend spokesperson told us it removed the product after discovering an unidentified vulnerability: "While investigating claims in [Demirkapi's] blog, our development teams identified a potential medium-level security issue and are working to ensure it is properly and quickly resolved. Out of an abundance of caution, we have taken down the current version of the tool from our site while we evaluate and remediate.
We are working closely with our partners at Microsoft to ensure that our code is in compliance with their rigorous standards
"As for the allegation that Trend Micro is somehow trying to work around Microsoft’s certification process, we want to again make clear that this is indeed not the case and we are working closely with our partners at Microsoft to ensure that our code is in compliance with their rigorous standards."
That would suggest Trend Micro didn't intend to deliberately swerve Microsoft's certification checks. Demirkapi, and your humble vultures, remain puzzled, though, as to why the Rootkit Buster would need this WHQL detection code in the first place, even for testing or debugging purposes.
"It just doesn't make sense that they would add extra code and go out of their way to check for it," Demirkapi told The Register. "Why not use NonPagedPoolNx all the time for systems that support it? There is no reason I can think of.
"Trend Micro must be held accountable for their extremely questionable code. Trend Micro continues to deny my claims that they are cheating Microsoft's certification standards, but their lack of an explanation only reaffirms my position. The evidence has shown that Trend Micro designed their driver to specifically detect testing environments, including Microsoft's own testing platform for WHQL certification." ®
Trend's PR people have stressed once again that "Trend Micro is not cheating any tests," although declined to explain why the driver code was detecting the presence of the Windows certification suite.
They also said Trend asked Microsoft to block the driver in the latest version of Windows 10, aka the May 2020 update or 20H1, due to "compatibility" testing.
"Microsoft’s actions were per request from Trend Micro and in no way negatively affiliated," a spokesperson told us. "Trend Micro made the request for this block because of internal compatibility testing for the next major Windows 10 update."
Trend also assured us its other customer protection software, aside from the withdrawn Rootkit Buster, will continue to work. The antivirus maker also disagreed that this kerfuffle was a scandal, as we suggested in the sub-headline. "Microsoft and Trend Micro are working very closely together," a Trend spokesperson told us.
We've asked Microsoft to confirm Trend's assertions. We also note that Trend and Microsoft share the same PR mega-agency: Waggener Edstrom Communications. No doubt they'd remind us the teams working on Trend Micro and Microsoft are completely separate.
Reverse-engineering by Chris Williams.
Sponsored: Ransomware has gone nuclear