[weinzierl]

As I understand, this only manifests after a reboot and if the 'content update' is tested at all it is probably in a VM that just gets thrown away after the test and is never rebooted.

Also, this makes me think:

How hard would it be to craft a malware that has the same signature as an important system file?

Preferably one that doesn't cause immediate havoc when quarantined, just a BSOD after reboot, so it slips through QA.

I don't believe this is what's happened, but I think it is an interesting threat.

[ExoticPearTree]

Nope, not after a reboot. Once the "channel update" is loaded into Falcon, the machine will crash with a BSOD and then it will not boot properly until you remove the defective file.

[jodrellblank]

> How hard would it be to craft a malware that has the same signature as an important system file?

Very, otherwise digital signatures wouldn’t be much use. There are no publicly known ways to make an input which hashes to the same value as another known input through the SHA256 hash algorithm any quicker than brute-force trial and error of every possibility.

This is the difficulty that BitCoin mining is based on - the work that all the GPUs were doing, the reason for the massive global energy use people complain about is basically a global brute-force through the SHA256 input space.

See the “find a custom SHA256” challenge on HN last month discussions: https://news.ycombinator.com/item?id=40683564

[weinzierl]

I was talking about malware signatures, which do necessarily use cryptographic hashes. They are probably more optimized for speed because the engine needs to check a huge number of files as fast as possible.

[jodrellblank]

Cryptographic hashes are not the fastest possible hash, but they are not slow; CPUs have hardware SHA acceleration: https://www.intel.com/content/www/us/en/developer/articles/t... - compared to the likes of a password hash where you want to do a lot of rounds and make checking slow, as a defense against bruteforcing.

That sounds even harder; Windows Authenticode uses SHA1 or SHA256 on partial file bytes, the AV will use its own hash likely on the full file bytes, and you need a malware which matches both - so the AV will think it's legit and Windows will think it's legit.

[andrecarini]

> same signature as an important system file

AFAIK important system files on Windows are (or should be) cryptographically signed by Microsoft. And the presence of such signature is one of the parameters fed to the heuristics engine of the AV software.

> How hard would it be to craft a malware that has the same signature as an important system file?

If you can craft malware that is digitally signed with the same keys as Microsoft's system files, we got way bigger problems.

[patmorgan23]

>How hard would it be to craft a malware that has the same signature as an important system file?

Extremely, if it were easy that means basically all cryptography commonly in use today is broken, the entire Public Key Infrastructure is borderline useless and there's no point in code signing anymore.