Check Point researchers reveal new method by which malware can pass undetected by anti-malware solutions on Windows 10 PCs, potentially affecting up to 400 million computers globally.

Check Point Software Technologies Ltd. (NASDAQ: CHKP) announced its security researchers have found a new and alarming method that could allow any known malware to bypass security solutions, such as next generation anti-viruses, inspection tools, and anti-ransomware.

This technique, called ‘Bashware’, takes advantage of a new Windows 10 feature called Subsystem for Linux (WSL) which allows a combination of Linux and Windows systems to run at the same time. Although WSL itself is well-designed, existing security solutions are still not adapted to monitor processes of Linux executables running on Windows. 


Check Point’s researchers say that this can open a door for cybercriminals to run malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms.


Researchers tested Bashware on most of the leading anti-virus and security products on the market, and were able to successfully bypass them all using the Bashware method. This means that Bashware potentially affects up to 400 million computers currently running Windows 10 PC globally.


“The potential threats of Windows Subsystem for Linux mechanism have been discussed by the InfoSec community, and now we decided to take it to the next level by demonstrating how it actually works,” said Oded Vanunu, head of vulnerability research at Check Point. “The research shows how easy it could be for a cybercriminals to take advantage of the new WSL mechanism, and enable any malware to bypass security products. Most security vendors have not built protections into their solutions to block this potential exploitation path, so we are calling on the security industry to take immediate action and to modify their products to protect users against Bashware.”


Full details of Bashware, including a detailed report describing how the exploitation method works, are available at:


A video of how the attack works is also available:  



Press release by CheckPoint

Publié le 13 septembre 2017