Windows Legitimate Tool Could be Used For Disabling Antivirus

A Researcher has found that a Windows legitimate tool called “wsresest” be used to delete desired files with basic user privileges and also bypass antivirus protections in the host system. The “wsreset” is a tool used by Windows to clear the Cache and Cookies files of Windows Store, like in a troubleshooting process. But tweaking it with a file junction technique can help an attacker to disable antivirus software.

Hackers Can Disable Antivirus by Using Windows a Tool

As described by Daniel Gebert and followed by BleepingComputer, “wsreset” is a legitimate tool within Microsoft Windows that can be used to delete the files in the Cache and Cookies folder of Windows Store. The Windows Store stores these files in below paths;

%UserProfile%\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache

 

%UserProfile%\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCookies

As Gebert found this tool can reset files in those folders, he then tried directing this tool to another folder of files using the “folder junction”, which is a similar concept to symbolic links. Linking that desired folder to the above path would let the “wsreset” tool to delete the files within that ultimate folder. Trailing on this assumption, Gebert first deleted files in the files in “INet” folder and then linked this to “etc” as

“C:\Windows\System32\drivers\etc” “etc” folder here is having files that cannot be deleted by anyone with basic privileges, thus need an admin account. But the tool “wsreset” bypass this barrier to even delete files such folders.

After realising that “wsreset” is capable of deleting even those files in “etc” folder, Gebert has finally linked this path to an Antivirus software’s configuration files. Here, he took the example of the Adaware software, which sores its files in

‘C:\ProgramData\adaware\adaware antivirus’. While regular users cannot modify or delete the files within Adaware’s configuration files, “wsreset” bypassed this restriction with full privileges and deleted those files as intended. Thus, making the Antivirus disabled.