Jump to content

KIS making SQL calls to SQL Server


Invent
Go to solution Solved by Wesly.Zhang,

Recommended Posts

I noticed KIS occasionally makes SQL calls to MS SQL Server. It sends a SELECT for each database on the server looking for rows from sys.assemblies. I’m assuming it’s able to access MSSQL and the databases using the elevated permissions granted to the KIS app. I can understand anti-virus apps checking the CLR assemblies for malware, but this approach via SQL seems unusual to me.

Can anyone provide any insight on this?

Thanks!

Link to comment
Share on other sites

Hello,

As I know, KIS use sqlite to create report database and use sql to write event report in it. How do you know this behavior?

Regards.

Link to comment
Share on other sites

If you run a trace on SQL Server to watch the sql commands, then do a KIS scan, KIS sends this SQL...

SELECT name FROM sys.databases

… to get the list of databases. Then for each database it sends...

SELECT assembly_id, name, content FROM mydatabase1.sys.assembly_files

SELECT assembly_id, name, content FROM mydatabase2.sys.assembly_files

etc

This returns the assembly binaries for all the databases on the server. I’m guessing this is the only way to access them to scan for malware?

 

 

Link to comment
Share on other sites

If you run a trace on SQL Server to watch the sql commands, then do a KIS scan, KIS sends this SQL...

SELECT name FROM sys.databases

… to get the list of databases. Then for each database it sends...

SELECT assembly_id, name, content FROM mydatabase1.sys.assembly_files

SELECT assembly_id, name, content FROM mydatabase2.sys.assembly_files

etc

This returns the assembly binaries for all the databases on the server. I’m guessing this is the only way to access them to scan for malware?

 

 

Hello ,

Let me check it. I am not familiar with SQL Server. except for MySQL. I will install check both of them. I will reply back if the research was fruitful. But I think it's possible to search for certain keywords in the system SQL SERVER system database, not sure what the point of this is, the malicious code doesn't get into the system database itself.

Regards.

Link to comment
Share on other sites

  • Solution

Thanks!

Hello, 

From my friend, He said there are the SQL Server Transact-SQL none file attack could be used in SQL sys.assembly_files to store malicious content. ExecCode id point to malicious content in sys.assembly_files table. So avp scan use this way to search threats in sql server. This is correct.

Regards.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.


×
×
  • Create New...