Microsoft has blocked a Trend Micro driver from running on Windows 10 – and Trend has withdrawn downloads of its rootkit detector that uses the driver – after the code appeared to game Redmond’s QA tests.
Late last week, Trend removed downloads of its Rootkit Buster from its website. And last night it emerged the kernel-level driver at the heart of the software,
tmcomm.sys, was added to Windows 10 20H1’s list of blocked drivers – preventing it from loading and Rootkit Buster from running.
Windows internals guru and CrowdStrike veep Alex Ionescu discovered the blockade, and highlighted it on Twitter, while investigating research by computer security undergrad Bill Demirkapi that revealed not only shortcomings in the driver’s code but also an effort to detect Microsoft’s QA test suite.
Passing these tests is highly desirable: if a driver meets the grade, it can be digitally signed by Microsoft, is trusted by Windows, and potentially can be distributed via Windows Update and similar mechanisms.Source: The Register