Page 1 of 1

V1.2112 stopped by Sophos for "CodeCave" malicious behavior

PostPosted: Mon Oct 28, 2019 3:12 pm
Win 10 Pro 64bit.
Install finishes, Sophos AV stops UCCNC from running with a " 'CodeCave' malicious behavior prevented in UCCNC"

I saw that you fixed an Avast AV bug that Vmax549 found. Could this be the same bug? Would it be possible to get another test version out to see if this clears things up?

From there documentation:

Code Cave
Code cave is a technique used by adversaries where they modify what is likely legitimate
software so that it contains an additional application. This additional application
is inserted into what is called a code cave, a section of the target application’s file that
is unused by the program. Code caves exist in most applications and adding code
to these sections should not break the behavior of the primary application.
Often the execution code inserted into a code cave is simply a remote shell launcher
or backdoor; these can be very small and simply grant the adversary access to the
endpoint where they can perform other actions. This type of attack requires the attacker
to have established a presence on the endpoint so they can deploy the back doored
application or to trick the user to download and install an application that has the code
cave already exploited.

One of the primary reasons adversaries use code caves is to hide from detection
by the general user and administrators. The expected application still works fine,
but the inserted application is also running.
If the application that has been modified is a legitimate business tool that the
administrator expects to be on the device they are less likely to consider it malware
if traditional antivirus detects a problem. Administrators may simply add it to the
exemption list, assuming the antivirus engine has generated a false positive. In this way,
the adversary establishes persistence on the endpoint and may have even tricked the
admin to allow their inserted application to run.
In a so-called supply chain attack, an attacker could also breach the software
update servers on which an update can be laced with malicious code to silently
infect its customers with e.g. ransomware or wiper malware.
Sophos Intercept X automatically blocks execution of applications that are laced with
a backdoor. It even detects the added shellcode when code execution doesn’t flow
to a code cave or to an added section in the infected PE file. It offers broad protection
against shellcode injection tools like Shellter and Backdoor Factory.

Exploits Explained: Comprehensive Exploit Prevention
A Sophos Whitepaper March 2018 13

Re: V1.2112 stopped by Sophos for "CodeCave" malicious behav

PostPosted: Mon Oct 28, 2019 6:25 pm
by cncdrive
This problem has nothing to do with the UCCNC, it is a problem with the antivirus software you using.