In a case of asking who watches the watchers, security company Trend Micro has been discovered cheating on Microsoft’s kernel driver security test suite.
The kernel driver in question, tmcomm.sys, appears to detect Microsoft’s WHQL test suite, and change its behaviour to be more compliant, in particular only accessing Windows 10’s non-executable non-paged pool of available RAM. However, when running on regular systems no such restriction applies, leading to critics calling this Trend Micro’s Volkwagen moment, after a similar issue where VW detected emission testing and switched to a less polluting mode, and when in regular use was much more polluting.
VW was fined billions of dollars, but in Trend Micro’s case the main consequence was that Microsoft added it to the banned list on their Driver Compatibility Database, which means the driver is now blocked from installing on Windows 10.
Trend Micro has already withdrawn Rootkit Buster from their website, and claims they have actually asked Microsoft to block the driver, saying:
While investigating claims in [Demirkapi’s] blog, our development teams identified a potential medium-level security issue and are working to ensure it is properly and quickly resolved. Out of an abundance of caution, we have taken down the current version of the tool from our site while we evaluate and remediate.
We are working closely with our partners at Microsoft to ensure that our code is in compliance with their rigorous standards
“As for the allegation that Trend Micro is somehow trying to work around Microsoft’s certification process, we want to again make clear that this is indeed not the case and we are working closely with our partners at Microsoft to ensure that our code is in compliance with their rigorous standards.
While Trend Micro claims to be working closely with Microsoft on the issue, Microsoft has so far declined to comment.
via The Register