Malware analysis Bypass Windows Defender Attack Surface Reduction

SeriousHoax

Level 34
Verified
Mar 16, 2019
2,353
Looks like all the Windows Defender ASR mitigations have been bypassed in this test one way or another ☹
This is disappointing and shows that Microsoft needs to step up and patch this loopholes.
The test was done in February 2019 so don't know if Microsoft has fixed this issues by now or not 🤔
1.PNG


Read the full report here
 

blackice

Level 28
Verified
Apr 1, 2019
1,753
We talked a little about this paper one year ago:

Here is also a video :) (y):

I participated in this discussion and completely forgot about it. Thanks for refreshing my memory! It doesn’t help the memory to have two small children and fireworks going off all night outside.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
If not, there are going to be many, many millions wanting to know why not?!!
There is nothing especially difficult in bypassing ASR rules. Anyway, they are very useful against the common 0-day malware in the wild as the WD support.
From my experience, these rules were improved by Microsoft. Before reading this article I bypassed some of these rules + WD by several scripts. Now, many of these bypasses (but not all) are detected by WD or blocked by ASR. It is possible that Microsoft uses ASR rules to block the popular attacks that are hard to detect by WD.
 
Last edited:

Stopspying

Level 10
Verified
Jan 21, 2018
486

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
Is it known if Microsoft took any steps to fix these mitigations after the 2019 disclosures in the https://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf ?
Microsoft improves these rules only if there were malware in the wild that could bypass WD + ASR rules. They probably did not fix anything after reading this article. They already knew that these rules could be bypassed in many ways, before some of the bypasses were shown publicly by Emeric Masi.(y)
 

oldschool

Level 59
Verified
Mar 29, 2018
4,854
Microsoft improves these rules only if there were malware in the wild that could bypass WD + ASR rules. They probably did not fix anything after reading this article. They already knew that these rules could be bypassed in many ways, before some of the bypasses were shown publicly by Emeric Masi.(y)
Indeed. Everyone can relax instead of rushing to switch to the illusory "best" AV or whatever is in fashion. It's a beautiful summer day. Enjoy!
 

Stopspying

Level 10
Verified
Jan 21, 2018
486
rushing to switch to the illusory "best" AV

Nah, I'm all switched out.

It's a beautiful summer day.
Lucky you, its been grey and like living in the clouds - wet, not surrounded by backed-up files all day here - with 40 mph winds. Having said that, we've had some great summer days so far this year. That is why I'm on MT a lot today...oopps.. meant to say I'm here for all the wonderful shared IT knowledge!
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
There is maybe 1% (probably less) of Windows users who applied ASR rules. It is not worthy for the attackers to make the malware that could bypass ASR rules, If the malware can already infect 50% users. That is why Microsoft improves ASR rules rarely and they are still good additional protection to WD.
 

Vitali Ortzi

Level 21
Verified
Dec 12, 2016
1,000
There is maybe 1% (probably less) of Windows users who applied ASR rules. It is not worthy for the attackers to make the malware that could bypass ASR rules, If the malware can already infect 50% users. That is why Microsoft improves ASR rules rarely and they are still good additional protection to WD.
So basically Configure defender plus ASR rules but without SRP(H_C) won't stop an ATP attack / targeted
But it would stop most malware in the wild 99.97%+ mark?
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
So basically Configure defender plus ASR rules but without SRP(H_C) won't stop an ATP attack / targeted
But it would stop most malware in the wild 99.97%+ mark?
WD set with ConfigureDefender MAX Protection Level will stop/neutralize many APT (Advanced Persistent Threats). Adding SRP (whitelisting) will prevent most APT in the wild in the home environment.
Most commercial solutions with ATP (Advanced Threat Protection) including Microsoft Threat Protection cannot prevent many advanced targeted attacks on enterprises.
 

Vitali Ortzi

Level 21
Verified
Dec 12, 2016
1,000
WD set with ConfigureDefender MAX Protection Level will stop/neutralize many APT (Advanced Persistent Threats). Adding SRP (whitelisting) will prevent most APT in the wild in the home environment.
Most commercial solutions with ATP (Advanced Threat Protection) including Microsoft Threat Protection cannot prevent many advanced targeted attacks on enterprises.
Anyway how's non consumer windows Enterprise ATP at detection of targeted attacks( I'm referring to the EDR capability ).
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,620
Anyway how's non consumer windows Enterprise ATP at detection of targeted attacks( I'm referring to the EDR capability ).
It relies also on the human reaction to the incidents reported by Microsoft Threat Protection.
 
Top