www.trendmicro.com Open in urlscan Pro
96.16.156.66 Public Scan

Back to summary

URL:
https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
Submission: On September 01 via manual (September 1st 2022, 10:02:28 am UTC) from IN — Scanned from DE

Form analysis
3 forms found in the DOM

<form class="main-menu-search" aria-label="Search Trend Micro">
  <div class="main-menu-search__field-wrapper" id="cludo-search-form">
    <table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
      <tbody>
        <tr>
          <td class="gsc-input">
            <input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
          </td>
        </tr>
      </tbody>
    </table>
  </div>
</form>

<form class="main-menu-search" aria-label="Search Trend Micro">
  <div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
    <table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
      <tbody>
        <tr>
          <td class="gsc-input">
            <input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
          </td>
          <td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
            <span class="icon-close"></span>
          </td>
        </tr>
      </tbody>
    </table>
  </div>
</form>

POST #

<form class="acsb-form" data-acsb-search="form" enctype="multipart/form-data" action="#" method="POST"> <input type="text" tabindex="0" name="acsb_search" autocomplete="off" placeholder="Unclear content? Search in dictionary..."
    aria-label="Unclear content? Search in dictionary..."> <i class="acsbi-search"></i> <i class="acsbi-chevron_down"></i> </form>

Text Content

Skip to Content
↵ENTER
Skip to Menu
↵ENTER
Skip to Footer
↵ENTER
dismiss
1 Alerts

* 4 Cybersecurity Budget Management Tips

dismiss
Learn more

* No new notifications at this time.

Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS

Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online

Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa

* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland

* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom

* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand

* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam

Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate

Free trials
* Cloud
* Detection and Response
* User Protection

Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)

Business
For Home

Products Products
Trend Micro One - our unified cybersecurity platform >

Hybrid Cloud Security
Workload Security
Conformity
Container Security
File Storage Security
Application Security
Network Security
Open Source Security
Network Security
Intrusion Prevention
Advanced Threat Protection
Industrial Network Security
Mobile Network Security
Zero Trust Secure Access
User Protection
Endpoint Security
Email Security
Mobile Security
Web Security
Industrial Endpoint
Detection & Response
XDR
Risk Insights
Powered by
AI/Machine Learning
Global Threat Intelligence
All Products & Trials

Our Unified Platform

Service Packages

Small & Midsize Business Security

Solutions Solutions
For Cloud
Cloud Migration
Cloud-Native App Development
Cloud Operational Excellence
Data Center Security
SaaS Applications
Internet of Things (IoT)
ICS / OT
Connected Car
5G Security for Enterprises
Risk Management
Ransomware
Cyber Insurance
End-of-Support Systems
Compliance
Detection and Response
Industries
Healthcare
Manufacturing
Oil & Gas
Electric Utility
Federal
Why Trend Micro Why Trend Micro
The Trend Micro Difference
Customer Successes
The Human Connection
Strategic Alliances

Industry Leadership
Research Research
Research
About Our Research
Research and Analysis
Research, News and Perspectives
Security Reports
Security News
Zero Day Initiative (ZDI)
Blog
Research by Topic
Vulnerabilities
Annual Predictions
The Deep Web
Internet of Things (IoT)
Resources
DevOps Resource Center
CISO Resource Center
What Is?
Threat Encyclopedia
Cloud Health Assessment
Cyber Risk Assessment
Enterprise Guides
Glossary of Terms

EXPLORE THE CYBER RISK INDEX (CRI)

Use the CRI to assess your organization’s preparedness against attacks, and get
a snapshot of cyber risk across organizations globally.

Calculate your risk
Services & Support Services & Support
Services
Service Packages
Managed XDR
Support Services
Business Support
Log In to Support
Technical Support
Virus & Threat Help
Renewals & Registration
Education & Certification
Contact Support
Downloads
Free Cleanup Tools
Find a Support Partner
For Popular Products
Deep Security
Apex One
Worry-Free
Worry-Free Renewals
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Marketplace
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Tools and Resources
Find a Partner
Education and Certification
Partner Successes
Distributors
Partner Login
Company Company
Overview
Leadership
Customer Success Stories
Human Connections
Strategic Alliances
Industry Accolades
Newsroom
Webinars
Events
Security Experts
Careers
History
Corporate Social Responsibility
Diversity, Equity & Inclusion
Trust Center
Internet Safety and Cybersecurity Education
Investors
Legal

×
Folio (0)
1 Alerts

* 4 Cybersecurity Budget Management Tips

dismiss
Learn more

* No new notifications at this time.

Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS

Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online

Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa

* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland

* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom

* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam

Free trials
* Cloud
* Detection and Response
* User Protection

* 4 Cybersecurity Budget Management Tips

dismiss
Learn more
* No new notifications at this time.

* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS

* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online

* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa

* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland

* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom

* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam

* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate

* Cloud
* Detection and Response
* User Protection

* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)

undefined

Ransomware
Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

Content added to Folio

Folio (0) close

Ransomware

RANSOMWARE ACTOR ABUSES GENSHIN IMPACT ANTI-CHEAT DRIVER TO KILL ANTIVIRUS

We investigate mhyprot2.sys, a vulnerable anti-cheat driver for the popular
role-playing game Genshin Impact. The driver is currently being abused by a
ransomware actor to kill antivirus processes and services for mass-deploying
ransomware.

By: Ryan Soliven, Hitomi Kimura August 24, 2022 Read time: 7 min (1935 words)

Save to Folio

--------------------------------------------------------------------------------

There have already been reports on code-signed rootkits like Netfilter, FiveSys,
and Fire Chili. These rootkits are usually signed with stolen certificates or
are falsely validated. However, when a legitimate driver is used as a rootkit,
that’s a different story. Such is the case of mhyprot2.sys, a vulnerable
anti-cheat driver for the popular role-playing game Genshin Impact. The driver
is currently being abused by a ransomware actor to kill antivirus processes and
services for mass-deploying ransomware. Security teams and defenders should note
that mhyprot2.sys can be integrated into any malware.

What we found

During the last week of July 2022, a ransomware infection was triggered in a
user environment that had endpoint protection properly configured. Analyzing the
sequence, we found that a code-signed driver called “mhyprot2.sys”, which
provides the anti-cheat functions for Genshin Impact as a device driver, was
being abused to bypass privileges. As a result, commands from kernel mode killed
the endpoint protection processes.

As of this writing, the code signing for mhyprot2.sys is still valid. Genshin
Impact does not need to be installed on a victim’s device for this to work; the
use of this driver is independent of the game.

This ransomware was simply the first instance of malicious activity we noted.
The threat actor aimed to deploy ransomware within the victim’s device and then
spread the infection. Since mhyprot2.sys can be integrated into any malware, we
are continuing investigations to determine the scope of the driver.

Organizations and security teams should be careful because of several factors:
the ease of obtaining the mhyprot2.sys module, the versatility of the driver in
terms of bypassing privileges, and the existence of well-made proofs of concept
(PoCs). All these factors mean that the usage of this driver is likely higher
than those of previously discovered rootkits (such as the ones mentioned in the
preceding section).

Meanwhile, the timeline and attack sequence of the threat actor’s activities
that we present here are noteworthy for security teams. A list of the techniques
used in this operation can be found in the MITRE ATT&CK analysis at the end of
this article.

Timeline of activities

Figure 1. Attack overview

The earliest evidence of compromise was a secretsdump from an unidentified
endpoint of the targeted organization to one of the domain controllers. It was
followed by the execution of discovery commands using wmiexec in the context of
the built-in domain administrator account. Both secretsdump — which dumps
secrets from the remote machine without executing any agent there — and wmiexec
— which executes commands remotely through Windows Management Instrumentation
(WMI) — are tools from Impacket, a free collection of Python classes for working
with network protocols.

Figure 2. Early evidence of compromise

Shortly afterward, the threat actor connected to the domain controller via RDP
using another compromised administrator account. From there, everything was
executed in the context of that user account.

Figure 3. The threat actor connecting to the domain controller via RDP

Note: The process rdpclip.exe running under the context of the compromised
administrator account was the only destination system artifact supporting the
use of RDP toward the domain controller. It facilitates clipboard sharing
between RDP sessions.

A malicious file, kill_svc.exe (C:\users\{compromised user}\kill_svc.exe), and
mhyprot2.sys (C:\users\{compromised user}\mhyprot2.sys) were transferred to the
desktop. This was the first time that the vulnerable driver was seen. The file
kill_svc.exe installed the mhyprot2 service and killed antivirus services.

Figure 4. The suspicious kill_svc.exe file executed
Figure 5. The vulnerable device installed

Another malicious file, avg.msi, was transferred to the netlogon share
\\{domaincontroller}\NETLOGON\avg.msi. This Windows installer contains avg.exe,
a malicious file masquerading as AVG Internet Security, and is responsible for
dropping and executing the following:

* logon.bat – A batch file that executes HelpPane.exe, kills antivirus and
other services, and executes svchost.exe.

* HelpPane.exe – A malicious file masquerading as Microsoft Help and Support
executable; similar to kill_svc.exe, it installs mhyprot2.sys and kills
antivirus services.
* mhyprot2.sys – A vulnerable Genshin Impact anti-cheat driver.
* svchost.exe – The ransomware payload.

This also shows that the threat actor intended to mass-deploy the ransomware
using the domain controller via startup/logon script.

The Windows installer avg.msi hosted on the netlogon share was deployed to one
workstation endpoint via Group Policy Object (GPO). We suspect that this was to
test whether deployment via GPO would be successful, but this case resulted in a
failure.

Figure 6. The Windows installer avg.msi deployed via GPO

Afterward, the threat actor logged in to the workstation from the unidentified
endpoint. Both Logon Type 3 (Network Logon) and Logon Type 10
(RemoteInteractive) were observed. The Windows installer avg.msi was manually
installed three times, which also resulted in a failure — no encryption.
However, it was successful in killing the antivirus services.

Figure 7. Manual installation of avg.msi failing

Note: The installation of avg.msi might have failed but the product was also no
longer working.

The file avg.exe, extracted from avg.msi, was also transferred to the desktop
and executed three times. However, in our analysis, we found that this step also
did not work even though the antivirus was no longer working. Apparently, using
the the .msi or .exe file resulted in the applications’ being stuck.

Figure 8. The malicious file avg.exe transferred to the desktop and executed
three times

In an attempt to make things work, the threat actor transferred logon.bat to the
desktop and executed it manually. The file logon.bat, supposedly dropped and
executed by avg.exe, was used as a standalone.

Figure 9. Section 1 of logon.bat, used for starting HelpPane.exe
Figure 10. Section 2 of logon.bat, used for killing antivirus solutions and
other services
Figure 11. Section 3 of logon.bat, used for disabling the boot loader from
loading the Windows recovery environment, disabling the Windows recovery
environment, clearing Windows event logs, killing the mhyprot2 service and
deleting it, and lastly, starting the ransomware svchost.exe.

Surprisingly, executing logon.bat worked and the ransomware svchost.exe began
dropping ransom notes and encrypting files. Knowing this, the threat actor
hosted three files necessary for mass deployment on a shared folder named “lol”:
mhyprot2.sys, kill_svc.exe (for killing antivirus services), and svchost.exe
(the ransomware).

Figure 12. The share folder containing the necessary component files for mass
deployment

A batch file named “b.bat” (C:\Users\{compromised user}\Desktop\b.bat),
responsible for copying and executing the files mentioned above, was deployed
via PsExec using the credentials of the built-in domain administrator account.
It listed target workstations in the file ip.txt.

Figure 13. Partial contents of b.bat (modified multiple times by the threat
actor)
Figure 14. The threat actor deploying b.bat to other workstations

A closer look at mhyprot2.sys

The driver mhyprot2.sys is loaded by kill_svc.exe/HelpPane.exe using the
NtOpenFile function.

Figure 15. The driver mhyprot2.sys loaded by kill_svc.exe/HelpPane.exe

After loading mhyprot2.sys, kill_svc.exe/HelpPane.exe checks a list of processes
to be terminated.

Figure 16. A list of processes to be terminated as checked by
kill_svc.exe/HelpPane.exe

Afterward, it passes this information to the driver using the DeviceIoControl
function.

Figure 17. The DeviceIoControl function

The control code 0x81034000 is sent to the driver, instructing it to terminate
the processes in the list.

Figure 18. The mhyprot2.sys case function
Figure 19. ZwTerminateProcess inside 0x81034000, which terminates a process and
all of its threads

The mhyprot2.sys driver that was found in this sequence was the one built in
August 2020. Going back to social media streams, we can see that shortly after
Genshin Impact was released in September 2020, this module was discussed in the
gaming community because it was not removed even after the game was uninstalled
and because it allowed bypassing of privileges.

A PoC, provided by user kagurazakasanae, showed that a library terminated 360
Total Security. A more comprehensive PoC, provided by Kento Oki, had the
following capabilities:

* Read/Write any kernel memory with privilege of kernel from user mode.

* Read/Write any user memory with privilege of kernel from user mode.
* Enumerate a number of modules by specific process id.
* Get system uptime.
* Enumerate threads in a specific process, allowing reading of the PETHREAD
structure in the kernel directly from the command-line interface (CLI).
* Terminate a specific process by process id with ZwTerminateProcess, which
calls in the vulnerable driver context (ring-0).

The issue was also reported by Kento Oki to miHoYo, the developer of Genshin
Impact, as a vulnerability. Kento Oki’s PoC led to more discussions, but the
provider did not acknowledge the issue as a vulnerability and did not provide a
fix. Of course, the code-signing certificate is still valid and has not been
revoked until now and the digital signature for code signing as a device driver
is still valid at this time.

Complications of code signing as a device driver

It is still rare to find a module with code signing as a device driver that can
be abused. The point of this case is that a legitimate device driver module with
valid code signing has the capability to bypass privileges from user mode to
kernel mode. Even if a vendor acknowledges a privilege bypass as a vulnerability
and provides a fix, the module cannot be erased once distributed. This file has
a code signature for the driver, which allows this module to be loaded in kernel
mode. If the signature was signed for a malicious module through private key
theft, the certificate can be revoked to invalidate the signature. However, in
this case, it is an abuse of a legitimate module. It seems that there is no
compromise of the private key, so it is still not known if the certificate will
be revoked. It remains valid, at least for now.

As mentioned above, this module is very easy to obtain and will be available to
everyone until it is erased from existence. It could remain for a long time as a
useful utility for bypassing privileges. Certificate revocation and antivirus
detection might help to discourage the abuse, but there are no solutions at this
time because it is a legitimate module.

How to counter abuse: monitoring and detection

There are only a limited number of driver files with valid signatures that are
expected to have behavior comparable to the privilege bypassing we report here.
We recommend that security teams and network defenders monitor the presence of
the hash values within their organizations. We have confirmed that privilege
bypassing is possible in at least this file:

* mhyprot2.sys (0466e90bf0e83b776ca8716e01d35a8a2e5f96d3)

In addition, we recommend monitoring Windows event logs for the installation of
the service corresponding to the driver. If the installation of the service was
not intended, compromise is strongly suspected:

* Windows Event Log (System) – 7045: A new service was installed in the system.
Service name: mhyprot2.

Figure 20. The properties of Windows Event Log (System) – 7045

Recommendations and solutions

Ransomware operators are continuously looking for ways to covertly deploy their
malware onto users’ devices. Using popular games or other sources of
entertainment is an effective way of baiting victims into downloading dangerous
files. It is important for enterprises and organizations to monitor what
software is being deployed onto their machines or have the proper solutions in
place that can prevent an infection from happening.

Users and organizations can also benefit from security solutions that offer
multilayered detection and response such as Trend Micro Vision One™, which has
multilayered protection and behavior detection capabilities that help block
suspicious behavior and tools before ransomware can do any damage. Trend Micro
Apex One™ also provides next-level automated threat detection and response to
protect endpoints against advanced issues, like human-operated ransomware.

For more information on the indicators of compromise, download this document.

With additional insights from Nathaniel Gregory Ragasa and Eleazar Valles

MITRE ATT&CK tactics and techniques

Tags
Endpoints | Exploits & Vulnerabilities | Research | Ransomware | Articles, News,
Reports

AUTHORS

* Ryan Soliven

Incident Response Analyst

* Hitomi Kimura

Incident Response Analyst

* Tackling the Growing and Evolving Digital Attack Surface: 2022 Midyear
Cybersecurity Report
* New Golang Ransomware Agenda Customizes Attacks
* New APT Group Earth Berberoka Targets Gambling Websites With Old and New
Malware

See all articles

RECOMMENDED FOR YOU

ransomware

NEW GOLANG RANSOMWARE AGENDA CUSTOMIZES ATTACKS

LEARN MORE

* Contact Sales
* Locations
* Careers
* Newsroom
* Trust Center
* Privacy
* Accessibility
* Support
* Site map

* linkedin
* twitter
* facebook
* youtube
* instagram
* rss

sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk

This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more

Cookies Settings Accept

English
Accessibility Adjustments
Reset Settings Statement Hide Interface

Choose the right accessibility profile for you
OFF ON
Seizure Safe Profile Clear flashes & reduces color
This profile enables epileptic and seizure prone users to browse safely by
eliminating the risk of seizures that result from flashing or blinking
animations and risky color combinations.
OFF ON
Vision Impaired Profile Enhances website's visuals
This profile adjusts the website, so that it is accessible to the majority of
visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract,
Glaucoma, and others.
OFF ON
ADHD Friendly Profile More focus & fewer distractions
This profile significantly reduces distractions, to help people with ADHD and
Neurodevelopmental disorders browse, read, and focus on the essential elements
of the website more easily.
OFF ON
Cognitive Disability Profile Assists with reading & focusing
This profile provides various assistive features to help users with cognitive
disabilities such as Autism, Dyslexia, CVA, and others, to focus on the
essential elements of the website more easily.
OFF ON
Keyboard Navigation (Motor) Use website with the keyboard
This profile enables motor-impaired persons to operate the website using the
keyboard Tab, Shift+Tab, and the Enter keys. Users can also use shortcuts such
as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics)
to jump to specific elements.

Note: This profile prompts automatically for keyboard users.
OFF ON
Blind Users (Screen Reader) Optimize website for screen-readers
This profile adjusts the website to be compatible with screen-readers such as
JAWS, NVDA, VoiceOver, and TalkBack. A screen-reader is software that is
installed on the blind user’s computer and smartphone, and websites should
ensure compatibility with it.

Note: This profile prompts automatically to screen-readers.
Content Adjustments
Content Scaling
Default

Readable Font
Highlight Titles
Highlight Links
Text Magnifier
Adjust Font Sizing
Default

Align Center
Adjust Line Height
Default

Align Left
Adjust Letter Spacing
Default

Align Right
Color Adjustments
Dark Contrast
Light Contrast
High Contrast
High Saturation
Adjust Text Colors
Cancel
Monochrome
Adjust Title Colors
Cancel
Low Saturation
Adjust Background Colors
Cancel
Orientation Adjustments
Mute Sounds
Hide Images
Read Mode
Reading Guide
Useful Links
Select an option Home Header Footer Main Content
Stop Animations
Reading Mask
Highlight Hover
Highlight Focus
Big Black Cursor
Big White Cursor
HIDDEN_ADJUSTMENTS
Keyboard Navigation
Accessible Mode
Screen Reader Adjustments
Read Mode
Web Accessibility Solution By accessiBe
Choose the Interface Language
English
Español
Deutsch
Português
Français
Italiano
עברית
繁體中文
Pусский
عربى
عربى
Nederlands
繁體中文
日本語
Polski
Türk
Accessibility StatementCompliance status

We firmly believe that the internet should be available and accessible to anyone
and are committed to providing a website that is accessible to the broadest
possible audience, regardless of ability.

To fulfill this, we aim to adhere as strictly as possible to the World Wide Web
Consortium’s (W3C) Web Content Accessibility Guidelines 2.1 (WCAG 2.1) at the AA
level. These guidelines explain how to make web content accessible to people
with a wide array of disabilities. Complying with those guidelines helps us
ensure that the website is accessible to blind people, people with motor
impairments, visual impairment, cognitive disabilities, and more.

This website utilizes various technologies that are meant to make it as
accessible as possible at all times. We utilize an accessibility interface that
allows persons with specific disabilities to adjust the website’s UI (user
interface) and design it to their personal needs.

Additionally, the website utilizes an AI-based application that runs in the
background and optimizes its accessibility level constantly. This application
remediates the website’s HTML, adapts its functionality and behavior for
screen-readers used by blind users, and for keyboard functions used by
individuals with motor impairments.

If you wish to contact the website’s owner please use the website's form

Screen-reader and keyboard navigation

Our website implements the ARIA attributes (Accessible Rich Internet
Applications) technique, alongside various behavioral changes, to ensure blind
users visiting with screen-readers can read, comprehend, and enjoy the website’s
functions. As soon as a user with a screen-reader enters your site, they
immediately receive a prompt to enter the Screen-Reader Profile so they can
browse and operate your site effectively. Here’s how our website covers some of
the most important screen-reader requirements:

1. Screen-reader optimization: we run a process that learns the website’s
components from top to bottom, to ensure ongoing compliance even when
updating the website. In this process, we provide screen-readers with
meaningful data using the ARIA set of attributes. For example, we provide
accurate form labels; descriptions for actionable icons (social media icons,
search icons, cart icons, etc.); validation guidance for form inputs;
element roles such as buttons, menus, modal dialogues (popups), and others.

Additionally, the background process scans all of the website’s images. It
provides an accurate and meaningful image-object-recognition-based
description as an ALT (alternate text) tag for images that are not
described. It will also extract texts embedded within the image using an OCR
(optical character recognition) technology. To turn on screen-reader
adjustments at any time, users need only to press the Alt+1 keyboard
combination. Screen-reader users also get automatic announcements to turn
the Screen-reader mode on as soon as they enter the website.

These adjustments are compatible with popular screen readers such as JAWS,
NVDA, VoiceOver, and TalkBack.

2. Keyboard navigation optimization: The background process also adjusts the
website’s HTML and adds various behaviors using JavaScript code to make the
website operable by the keyboard. This includes the ability to navigate the
website using the Tab and Shift+Tab keys, operate dropdowns with the arrow
keys, close them with Esc, trigger buttons and links using the Enter key,
navigate between radio and checkbox elements using the arrow keys, and fill
them in with the Spacebar or Enter key.

Additionally, keyboard users will find content-skip menus available at any
time by clicking Alt+2, or as the first element of the site while navigating
with the keyboard. The background process also handles triggered popups by
moving the keyboard focus towards them as soon as they appear, not allowing
the focus to drift outside.

Users can also use shortcuts such as “M” (menus), “H” (headings), “F”
(forms), “B” (buttons), and “G” (graphics) to jump to specific elements.

Disability profiles supported on our website
* Epilepsy Safe Profile: this profile enables people with epilepsy to safely
use the website by eliminating the risk of seizures resulting from flashing
or blinking animations and risky color combinations.
* Vision Impaired Profile: this profile adjusts the website so that it is
accessible to the majority of visual impairments such as Degrading Eyesight,
Tunnel Vision, Cataract, Glaucoma, and others.
* Cognitive Disability Profile: this profile provides various assistive
features to help users with cognitive disabilities such as Autism, Dyslexia,
CVA, and others, to focus on the essential elements more easily.
* ADHD Friendly Profile: this profile significantly reduces distractions and
noise to help people with ADHD, and Neurodevelopmental disorders browse,
read, and focus on the essential elements more easily.
* Blind Users Profile (Screen-readers): this profile adjusts the website to be
compatible with screen-readers such as JAWS, NVDA, VoiceOver, and TalkBack. A
screen-reader is installed on the blind user’s computer, and this site is
compatible with it.
* Keyboard Navigation Profile (Motor-Impaired): this profile enables
motor-impaired persons to operate the website using the keyboard Tab,
Shift+Tab, and the Enter keys. Users can also use shortcuts such as “M”
(menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to
jump to specific elements.

Additional UI, design, and readability adjustments
1. Font adjustments – users can increase and decrease its size, change its
family (type), adjust the spacing, alignment, line height, and more.
2. Color adjustments – users can select various color contrast profiles such as
light, dark, inverted, and monochrome. Additionally, users can swap color
schemes of titles, texts, and backgrounds with over seven different coloring
options.
3. Animations – epileptic users can stop all running animations with the click
of a button. Animations controlled by the interface include videos, GIFs,
and CSS flashing transitions.
4. Content highlighting – users can choose to emphasize essential elements such
as links and titles. They can also choose to highlight focused or hovered
elements only.
5. Audio muting – users with hearing devices may experience headaches or other
issues due to automatic audio playing. This option lets users mute the
entire website instantly.
6. Cognitive disorders – we utilize a search engine linked to Wikipedia and
Wiktionary, allowing people with cognitive disorders to decipher meanings of
phrases, initials, slang, and others.
7. Additional functions – we allow users to change cursor color and size, use a
printing mode, enable a virtual keyboard, and many other functions.

Assistive technology and browser compatibility

We aim to support as many browsers and assistive technologies as possible, so
our users can choose the best fitting tools for them, with as few limitations as
possible. Therefore, we have worked very hard to be able to support all major
systems that comprise over 95% of the user market share, including Google
Chrome, Mozilla Firefox, Apple Safari, Opera and Microsoft Edge, JAWS, and NVDA
(screen readers), both for Windows and MAC users.

Notes, comments, and feedback

Despite our very best efforts to allow anybody to adjust the website to their
needs, there may still be pages or sections that are not fully accessible, are
in the process of becoming accessible, or are lacking an adequate technological
solution to make them accessible. Still, we are continually improving our
accessibility, adding, updating, improving its options and features, and
developing and adopting new technologies. All this is meant to reach the optimal
level of accessibility following technological advancements. If you wish to
contact the website’s owner, please use the website's form

Hide Accessibility Interface? Please note: If you choose to hide the
accessibility interface, you won't be able to see it anymore, unless you clear
your browsing history and data. Are you sure that you wish to hide the
interface?
Accept Cancel

Continue

Processing the data, please give it a few seconds...

AddThis Sharing Sidebar
Share to FacebookFacebookShare to TwitterTwitterShare to PrintPrintMore AddThis
Share optionsAddThis
54
SHARES
Hide
Show
Close
AddThis

www.trendmicro.com Open in urlscan Pro 96.16.156.66 Public Scan

Form analysis 3 forms found in the DOM

POST #

Text Content

www.trendmicro.com Open in urlscan Pro
96.16.156.66 Public Scan

Form analysis
3 forms found in the DOM