A Microsoft cybersecurity team has blocked a free Trend Micro anti-virus tool from running on Windows 10 that appeared to alter its operation and allegedly cheat through the stringent certification test for drivers.
For third-party drivers, passing Microsoft’s Windows Hardware Quality Labs (WHQL) certification test is necessary.
If a driver meets the grade, it can be digitally signed by Microsoft, is trusted by Windows, and potentially can be distributed via Windows Update and similar mechanisms, reports The Registrar.
After reverse-engineering the driver, which sits at the heart of Trend Micro’s Rootkit Buster software, Microsoft team were able to pinpoint flaws in the code, ascertaining that the software can evade hardware certification tests.
Meanwhile, Trend Micro has also withdrawn downloads of its rootkit detector that uses the driver.
Windows internals guru Alex Ionescu first discovered that Microsoft has blocked Trend Micro’s driver.
Computer security researcher Bill Demirkapi also revealed shortcomings in the driver’s code as well as an effort by the software to detect Microsoft’s QA test suite.
The Rootkit Buster software has now disappeared from cybersecurity firm Trend Micro’s website.
According to the company, they have found “a medium-level security issue and are working to ensure it is properly and quickly resolved”.
“We are working closely with our partners at Microsoft to ensure that our code is in compliance with their rigorous standards,” said the spokesperson.
Rootkit Buster is a free tool released in 2018 that hunts down rootkits designed to evade detection by scanning hidden files, registry entries, processes, drives and the master boot record.
The software also examines kernel code patches, operating system service hooks, file streams, ports, and services to identify and remove malicious rootkits, reports IT Pro.