Microsoft bans Trend Micro driver, Trend Micro removes RootkitBuster for Windows 10; Who’s winning the big driver fight between Microsoft vs Trend Micro?
This one big Windows 10 drivers fight is going on unnoticed by the tech watchers. Microsoft and Trend Micro have been fighting over drivers for Windows 10. It all started when an independent researcher, Bill Demirkapi discovered that Trend Micro’s top Windows 10 driver fails in quality assurance testing.
Demirkapi made a blog post explaining how the Trend Micro’s RootkitBuster could be used to install a rootkit on Windows 10 run PC/laptops. TrendMicro advertised its RootkitBuster as a one-stop solution for scanning hidden files, registry entries, processes, drivers, and the master boot record (MBR) to identify and remove rootkits. Demirkapi found that he could exploit the RootKitBusteer to install a rootkit instead.
Demirkapi is an 18-year-old computer security student at the Rochester Institute of Technology in the U.S. and has already presented a research paper at DEF CON. He told The Register how he found the exploit when he was researching Trend’s Rootkit Buster for Windows 10 PCs.
Demirkapi found out that he could exploit the way Trend Micro’s RootkitBuster altered the way it allocated memory to pass Microsoft’s Windows Hardware Quality Labs (WHQL) certification tests using tmcomm.sys. To exploit the RootkitBuster, any hacker needs administrator access.
When The Register reported the issue, Microsoft blocked a Trend Micro driver tmcomm.sys from running on Windows 10 and started a virtual #DriverWar. Trend Micro not to be left behind has withdrawn downloads of its rootkit detector that uses the driver.
I've tried to validate @BillDemirkapi's research and was greeted with the following message:
Error code: (NTSTATUS) 0xc000036b (3221226347) – Driver %2 has been blocked from loading.
— Alex Ionescu (@aionescu) May 27, 2020
As of now, the #DriverWar between Trend Micro and Microsoft has reached sort of stalemate with Microsoft blacklisting the driver and TrendMicro removing RootkitBuster for Windows 10.