App Review Windows Defender Bypassed | The PC Security Channel

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,586
Windows Defender escapes are commonplace.
There was a malware that did this too called MosaicLoader, which created registry keys to put its Payloads in exclusions...

That's why those who are Geek Hardened Windows Defender, but it can be fatal for a novice...

Thanks for the video!
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
If I remember correctly, this method already didn't work in Windows 11 when it was discovered by a security person who shared it on Twitter.
But according to this video it still works in Windows 10 which is very surprising :unsure:
 

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
728
Hold my beer...

1654451463905.png
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
This is probably the worst of Leo's videos. (n)
First, this video does not show any difference between Windows 10 and 11. Simply Leo did not notice that on Windows 10 the PowerShell was executed with high privileges and on Windows 11 with standard privileges.
In fact, both on Windows 10 and 11 the query will fail with standard privileges.

So, the innocent (not really malicious) trojan downloader cannot get the information about Defender's exclusions. Everyone can check it on their own computer with Windows 10.
Gathering the information about Defender's exclusions can be done only if the malware could first get high privileges. So if the system is compromised with high privileges, then exclusions can be used to get persistence. Of course, in this case, the malware can simply add the exclusion (does not need to read the exclusions).
 
F

ForgottenSeer 95367

I'm not sure, but doesn't PS run in Constrained Language mode defeat this kind of attack as well?
No

This is probably the worst of Leo's videos. (n)
First, this video does not show any difference between Windows 10 and 11. Simply Leo did not notice that on Windows 10 the PowerShell was executed with high privileges and on Windows 11 with standard privileges.
Leo is not concerned with covering details in-depth. He just wants short-and-fast videos as opposed to long thorough videos. His target audience is neophytes and not enthusiasts.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
No


Leo is not concerned with covering details in-depth. He just wants short-and-fast videos as opposed to long thorough videos. His target audience is neophytes and not enthusiasts.
if Leo would make his video several months ago and would use standard rights (instead of high privileges) to query for Defender's exclusions, then the video would be OK. In the year 2021, this attack vector was not covered by Microsoft (it has been patched several months ago).
But in his current video, he wrongly informs users that the vulnerability that was patched several months ago is still present.
You might say that he intentionally used high privileges to read the exclusions, but then the video does not make sense at all. (y)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
Yes and No.
The attack presented in the video does not make sense in the year 2022, so let's go back to the year 2021 (before patching the vulnerability) and let's perform it correctly by using standard rights.
The attack is based on using a trojan downloader (PowerShell script) to query for the exclusions and download the malware. It is true that the script could read the exclusions, but in most cases, the malware download would be blocked by Constrained Language Mode.

Edit.
I do not think that Leo intentionally made his video to misguide the Defender users. He simply does not like Defender, and was not sufficiently objective to recognize his error.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
Good one. I temporarily unblocked PS Sponsors from H_C SRP rules, and launched it as user:

View attachment 267221

I'm not sure, but doesn't PS run in Constrained Language mode defeat this kind of attack as well?
H_C can fully block this attack in the Recommended_Settings, except when something is exploited and a special (rarely used in the wild) PowerShell CmdLine is executed. In most cases, such attacks will be blocked by Constrained Language Mode or FirewallHardening. I know only one technique that could bypass this protection, but it is used very rarely and not in the widespread attacks on home users.
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
668
H_C can fully block this attack in the Recommended_Settings, except when something is exploited and a special (rarely used in the wild) PowerShell CmdLine is executed. In most cases, such attacks will be blocked by Constrained Language Mode or FirewallHardening. I know only one technique that could bypass this protection, but it is used very rarely and not in the widespread attacks on home users.
What about Simple Windows Hardening?
 
L

Local Host

This is a Windows Defender bypass, not a UAC bypass, so it applies regardless of what Andy thinks of malware having admin rights. Ignoring the fact what is using admin rights is not even malware, but is a valid command Windows accepts (which is the concern here).

But honestly, there are way easier ways to get rid of Windows Defender, and most malware is ready for it, due to being default on Windows. Windows Defender will only save you from old and detected malware.

There more than enough tests incl. in our own Malware Hub that prove that.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,508
This is a Windows Defender bypass, not a UAC bypass, so it applies regardless of what Andy thinks of malware having admin rights.
Your post does not make sense to me. If the innocent-looking malware wants to read exclusions on a home computer then it must elevate. If not, then the attack will fail just like Leo showed for Windows 11. Microsoft fixed the issue several months ago and the behavior on Windows 10 is (and was) the same as on Windows 11. Leo made a mistake in his test, so he thought that the behavior is different on Windows 10 and Windows 11.

Edit1.
I skipped the trolling part of your post. It does not deserve attention. (y)
 
Last edited:

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
This is a Windows Defender bypass, not a UAC bypass, so it applies regardless of what Andy thinks of malware having admin rights. Ignoring the fact what is using admin rights is not even malware, but is a valid command Windows accepts (which is the concern here).

But honestly, there are way easier ways to get rid of Windows Defender, and most malware is ready for it, due to being default on Windows. Windows Defender will only save you from old and detected malware.

There more than enough tests incl. in our own Malware Hub that prove that.
Windows Defender has comprehensive protection against zero days, using local and in-the-cloud AI powered machine learning, reputation based analysis, behavioral analysis and its patended AMSI, latter of which almost all third party antiviruses use to detect malicious scripts, the trick to detecting the newest malware is keeping the Security Intelligence up go date as Microsoft is pretty quick to uncover new campaigns due to having acess to the largest amount of threat telemetry.

People who dont use common sense are the ones not ready for the newer generations of malware, simply because they think AV provides 100% protection and either dont care or dont know to take cyberthreats seriously
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top