fix(intel-driven): UnDefend SYSTEM-context + RedSun/BlueHammer EICAR quarantine-check timing#55
Open
ubercylon8 wants to merge 1 commit into
Open
fix(intel-driven): UnDefend SYSTEM-context + RedSun/BlueHammer EICAR quarantine-check timing#55ubercylon8 wants to merge 1 commit into
ubercylon8 wants to merge 1 commit into
Conversation
… EICAR quarantine timing Bug 1 (UnDefend stage-T1562.001-svcnotify.go): NotifyServiceStatusChangeW on WinDefend requires SYSTEM context. Running under a non-elevated user caused an access-denied return that classifyError() mapped to StageBlocked (126) — a false positive that inflated the overall exit-code roll-up. Fix: detect non-SYSTEM at stage start, log 'prerequisite-not-met', call LogStageEnd skipped, exit 0 so the orchestrator treats the stage as skipped rather than errored. Bug 2 (RedSun stage-T1211.go, BlueHammer stage-T1211-cfapi.go): EICAR quarantine check used a single os.Stat after a 3s sleep. Defender's quarantine action fires ~5s after the drop, so the stage process exited before the quarantine completed, reporting 101 UNPROTECTED even when Defender caught the file (confirmed by System log events 1116/1117). Fix: replace single-shot probe with a 10x1s retry loop (10s total window) per CLAUDE.md bug-prevention rule #3. These are observation-logic fixes only — the tests exercise identical Win32 API primitives and EICAR drops as before; they now report results accurately. Build verified (GOOS=windows GOARCH=amd64, zero compile errors): - stage-T1562.001-svcnotify.go: 3.7M OK - stage-T1211.go (RedSun): 3.5M OK - stage-T1211-cfapi.go: 3.7M OK sample_tests/multistage_template/ audited: no EICAR-adjacent os.Stat calls present; template is clean and does not need updating. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> https://claude.ai/code/session_01TZYUvsgmEBiQqyVzffjrcr
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two observation-logic bugs introduced in the 2026-04-24 Defender-evasion test batch caused incorrect exit-code reporting. The tests still exercise the same Win32 API primitives — only the result-evaluation logic is fixed.
Bug 1 — UnDefend Stage 3 SYSTEM-context prerequisite gap
NotifyServiceStatusChangeWonWinDefendrequires SYSTEM context (orSeServiceLogonRight). When the stage ran as a non-elevated user, the access-denied return from the API was misclassified byclassifyError()asStageBlocked(exit 126) — a false positive that inflated the overall exit-code roll-up. The stage should have skipped cleanly.Bug 2 — RedSun/BlueHammer EICAR quarantine-check timing window
Both stages dropped EICAR, slept 3 seconds, then did a single
os.Statto check quarantine. Defender's quarantine action fires ~5 seconds after the drop, so the stage process exited before quarantine completed and reported 101 UNPROTECTED. System event log 1116/1117 confirmed Defender actually caught the file in the lab run.Files changed
6a2351ac)stage-T1562.001-svcnotify.goisSystemContext()guard at stage entry; skip cleanly (exit 0 +LogStageEnd skipped) when not SYSTEM0d7e7571)stage-T1211.goos.Statwith 10×1s retry loop (10s total window)5e59dd6a)stage-T1211-cfapi.goWhy these fixes matter
These are observation-logic fixes, not primitive-behavior changes. Both tests continue to exercise identical Win32 APIs (
NotifyServiceStatusChangeW,CfRegisterSyncRoot,CfConnectSyncRoot) and the same EICAR drop sequence. What changed is that the stages now accurately report whether protection fired — eliminating false 101/126 results that misled the EDR posture assessment in ProjectAchilles.Template audit
sample_tests/multistage_template/was grepped for EICAR-adjacentos.Statcalls. The template is clean — no EICAR drop code present. The short-window pattern originated in the test implementations directly, not the template, so no template update is needed.Build verification
All three modified stage binaries compiled clean (
GOOS=windows GOARCH=amd64, zero errors):Build command used (mirrors
build_all.shstep 1):Deployment note
Re-deploying to a lab endpoint is recommended but not blocking for merge. The fixes are small and surgically reviewable statically:
whoami-based check consistent with the pattern already used instage-T1547.001.go(commit0a749b39).time.Sleep(3s)+os.Statwith ten 1-second ticks — no behavioral change on a protected host, accurate result on one where Defender is slow to quarantine.Relevant lab-run commits for context:
574bffa(UnDefend),36fd52a(RedSun),0ab4dba(BlueHammer).https://claude.ai/code/session_01TZYUvsgmEBiQqyVzffjrcr
Generated by Claude Code