Malware Analysis Bypass Windows Defender Attack Surface Reduction

SeriousHoax

SeriousHoax

Level 49
Thread author
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Looks like all the Windows Defender ASR mitigations have been bypassed in this test one way or another ☹
This is disappointing and shows that Microsoft needs to step up and patch this loopholes.
The test was done in February 2019 so don't know if Microsoft has fixed this issues by now or not 🤔
1.PNG


Read the full report here
 
  • Like
  • Wow
  • HaHa
Reactions: Brahman, Zartarra, plat and 8 others
oldschool

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,613
I believe I came across this some time ago, maybe via a link @ Wilders. It reaffirms the inherent danger of using vulnerable applications like M$ Office, attachments, infected USB drives, etc. Also social engineering. I suppose anything can be bypassed so I'm not too concerned.
 
  • Like
Reactions: Brahman, Vitali Ortzi, SeriousHoax and 5 others
blackice

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Andy Ful said:
We talked a little about this paper one year ago:
malwaretips.com

ConfigureDefender utility for Windows 10/11

Thanks Arequire, pretty much exactly what I was looking for, especially the part about "Behavior Monitoring".
malwaretips.com malwaretips.com

Here is also a video :) (y):

Click to expand...

I participated in this discussion and completely forgot about it. Thanks for refreshing my memory! It doesn’t help the memory to have two small children and fireworks going off all night outside.
 
  • Like
Reactions: Brahman, SeriousHoax, Stopspying and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Stopspying said:
If not, there are going to be many, many millions wanting to know why not?!!
Click to expand...
There is nothing especially difficult in bypassing ASR rules. Anyway, they are very useful against the common 0-day malware in the wild as the WD support.
From my experience, these rules were improved by Microsoft. Before reading this article I bypassed some of these rules + WD by several scripts. Now, many of these bypasses (but not all) are detected by WD or blocked by ASR. It is possible that Microsoft uses ASR rules to block the popular attacks that are hard to detect by WD.
 
Last edited:
  • Like
  • Thanks
Reactions: Brahman, South Park, simmerskool and 9 others
Stopspying

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
  • Like
Reactions: simmerskool, SeriousHoax, plat and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Stopspying said:
Is it known if Microsoft took any steps to fix these mitigations after the 2019 disclosures in the https://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf ?
Click to expand...
Microsoft improves these rules only if there were malware in the wild that could bypass WD + ASR rules. They probably did not fix anything after reading this article. They already knew that these rules could be bypassed in many ways, before some of the bypasses were shown publicly by Emeric Masi.(y)
 
  • Like
  • Thanks
Reactions: Brahman, simmerskool, Nightwalker and 9 others
oldschool

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,613
Andy Ful said:
Microsoft improves these rules only if there were malware in the wild that could bypass WD + ASR rules. They probably did not fix anything after reading this article. They already knew that these rules could be bypassed in many ways, before some of the bypasses were shown publicly by Emeric Masi.(y)
Click to expand...
Indeed. Everyone can relax instead of rushing to switch to the illusory "best" AV or whatever is in fashion. It's a beautiful summer day. Enjoy!
 
  • Like
  • HaHa
Reactions: simmerskool, Nightwalker, Vitali Ortzi and 7 others
Stopspying

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
oldschool said:
rushing to switch to the illusory "best" AV
Click to expand...

Nah, I'm all switched out.

oldschool said:
It's a beautiful summer day.
Click to expand...
Lucky you, its been grey and like living in the clouds - wet, not surrounded by backed-up files all day here - with 40 mph winds. Having said that, we've had some great summer days so far this year. That is why I'm on MT a lot today...oopps.. meant to say I'm here for all the wonderful shared IT knowledge!
 
  • HaHa
  • Like
Reactions: Brahman, plat, SeriousHoax and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
There is maybe 1% (probably less) of Windows users who applied ASR rules. It is not worthy for the attackers to make the malware that could bypass ASR rules, If the malware can already infect 50% users. That is why Microsoft improves ASR rules rarely and they are still good additional protection to WD.
 
  • Like
  • +Reputation
  • Thanks
Reactions: Brahman, Protomartyr, simmerskool and 11 others
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,363
Andy Ful said:
There is maybe 1% (probably less) of Windows users who applied ASR rules. It is not worthy for the attackers to make the malware that could bypass ASR rules, If the malware can already infect 50% users. That is why Microsoft improves ASR rules rarely and they are still good additional protection to WD.
Click to expand...
So basically Configure defender plus ASR rules but without SRP(H_C) won't stop an ATP attack / targeted
But it would stop most malware in the wild 99.97%+ mark?
 
  • Like
Reactions: Brahman, Protomartyr, Stopspying and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Vitali Ortzi said:
So basically Configure defender plus ASR rules but without SRP(H_C) won't stop an ATP attack / targeted
But it would stop most malware in the wild 99.97%+ mark?
Click to expand...
WD set with ConfigureDefender MAX Protection Level will stop/neutralize many APT (Advanced Persistent Threats). Adding SRP (whitelisting) will prevent most APT in the wild in the home environment.
Most commercial solutions with ATP (Advanced Threat Protection) including Microsoft Threat Protection cannot prevent many advanced targeted attacks on enterprises.
 
  • Like
  • Thanks
  • +Reputation
Reactions: Brahman, Protomartyr, Stopspying and 10 others
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,363
Andy Ful said:
WD set with ConfigureDefender MAX Protection Level will stop/neutralize many APT (Advanced Persistent Threats). Adding SRP (whitelisting) will prevent most APT in the wild in the home environment.
Most commercial solutions with ATP (Advanced Threat Protection) including Microsoft Threat Protection cannot prevent many advanced targeted attacks on enterprises.
Click to expand...
Anyway how's non consumer windows Enterprise ATP at detection of targeted attacks( I'm referring to the EDR capability ).
 
  • Like
Reactions: Brahman, Protomartyr, Stopspying and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Vitali Ortzi said:
Anyway how's non consumer windows Enterprise ATP at detection of targeted attacks( I'm referring to the EDR capability ).
Click to expand...
It relies also on the human reaction to the incidents reported by Microsoft Threat Protection.
www.microsoft.com

Inside Microsoft 365 Defender: Attack modeling for finding and stopping lateral movement | Microsoft Security Blog

Microsoft Threat Protection uses a data-driven approach for identifying lateral movement, combining industry-leading optics, expertise, and data science to deliver automated discovery of some of the most critical threats today.
www.microsoft.com www.microsoft.com
 
  • Like
  • Thanks
Reactions: Brahman, Protomartyr, Stopspying and 5 others
Nightwalker

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
There are some misunderstadings about ASR rules, they are not meant to be silver bullets against malware, similar to anti-exploit techniques, the reason is to make the attack process harder and more expensive for malware creators.
 
Last edited:
  • Like
  • +Reputation
  • Applause
Reactions: Brahman, Protomartyr, Stopspying and 9 others

Similar threads

lokamoka820
    • Like
    • Wow
Security News Windows Update Can Be Hijacked to Undo Security Patches
Replies
1
Views
2,423
Security News
SpiderWeb
SpiderWeb
M
    • Like
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Replies
0
Views
427
Microsoft Defender
Microsoft Threat Intelligence
M
Gandalf_The_Grey
    • Like
    • +Reputation
Security News The February 2024 Security Update Review
Replies
3
Views
1,282
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top