Gravity Zone Software Execution Policy Bypass

Moisés Cerqueira
Moisés Cerqueira Network Security Analyst | Threat Hunter

Hi guys, all right? During the last week, I've been testing some features of GravityZone and one of them was the program execution blocking policy.

From what I verified, we can block the execution of a software both by the absolute path and by the Hash (MD5/SHA).

I used an EDR test file without changes and it was blocked; however after I used the program "MD5-Hash-Changer" to change the hash value of the .exe, I was able to run it without major problems.

Is there any way to counter this technique?

Answers

  • Gjoksi
    Gjoksi DEFENDER OF THE YEAR 2022 / DEFENDER OF THE MONTH ✭✭✭✭✭

    Hello.

    Since you need help with business product, @Alex_Dr or @Andra_B (they both provide support for business products) could take a look here and help you with the issue.

    Also, you can always contact the Bitdefender business support:

    Regards.

  • Alex_Dr
    Alex_Dr Quality & Customer Experience Specialist BD Staff

    Hello @Moisés Cerqueira,


    The way to counter this technique would be to block using a combination of the hash & executable file, otherwise, it will still work, as Bitdefender does not match the program the needs to be blocked with what was modified.

    I hope I have answered your request. Do let me know if additional assistance is required.


    Best regards,

    Alex D.