Is Endpoint Protection susceptible to PsSetLoadImageNotifyRoutine based attacks?

book

Article ID: 170278

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You have grave concerns about a theoretical issue involving PsSetLoadImageNotifyRoutine, which purportedly allows malware authorts to cirumvent endpoint protection solutions. The news is particularly unsettling, as the press coverage surrounding the issue indicates that the PsSetLoadImageNotifyRoutine routine has been a part of the Windows kernel since Windows 2000, remains present in even the latest Windows builds and Microsoft has indicated it will do nothing on their part to fix it.

Environment

Windows 2000 - Windows 10

Windows 2000 Server - Windows Server 2016

Resolution

None of our technologies use PsSetLoadImageNotifyRoutine routines as methods to block execution. As a result, Symantec Endpoint Protection (SEP) is unaffected by this issue.