blackice

Level 26
Verified
We talked a little about this paper one year ago:

Here is also a video :) (y):

I participated in this discussion and completely forgot about it. Thanks for refreshing my memory! It doesn’t help the memory to have two small children and fireworks going off all night outside.
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
If not, there are going to be many, many millions wanting to know why not?!!
There is nothing especially difficult in bypassing ASR rules. Anyway, they are very useful against the common 0-day malware in the wild as the WD support.
From my experience, these rules were improved by Microsoft. Before reading this article I bypassed some of these rules + WD by several scripts. Now, many of these bypasses (but not all) are detected by WD or blocked by ASR. It is possible that Microsoft uses ASR rules to block the popular attacks that are hard to detect by WD.
 
Last edited:

Andy Ful

Level 60
Verified
Trusted
Content Creator
Is it known if Microsoft took any steps to fix these mitigations after the 2019 disclosures in the https://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf ?
Microsoft improves these rules only if there were malware in the wild that could bypass WD + ASR rules. They probably did not fix anything after reading this article. They already knew that these rules could be bypassed in many ways, before some of the bypasses were shown publicly by Emeric Masi.(y)
 

oldschool

Level 53
Verified
Microsoft improves these rules only if there were malware in the wild that could bypass WD + ASR rules. They probably did not fix anything after reading this article. They already knew that these rules could be bypassed in many ways, before some of the bypasses were shown publicly by Emeric Masi.(y)
Indeed. Everyone can relax instead of rushing to switch to the illusory "best" AV or whatever is in fashion. It's a beautiful summer day. Enjoy!
 

Stopspying

Level 10
rushing to switch to the illusory "best" AV
Nah, I'm all switched out.

It's a beautiful summer day.
Lucky you, its been grey and like living in the clouds - wet, not surrounded by backed-up files all day here - with 40 mph winds. Having said that, we've had some great summer days so far this year. That is why I'm on MT a lot today...oopps.. meant to say I'm here for all the wonderful shared IT knowledge!
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
There is maybe 1% (probably less) of Windows users who applied ASR rules. It is not worthy for the attackers to make the malware that could bypass ASR rules, If the malware can already infect 50% users. That is why Microsoft improves ASR rules rarely and they are still good additional protection to WD.
 

Vitali Ortzi

Level 19
Verified
There is maybe 1% (probably less) of Windows users who applied ASR rules. It is not worthy for the attackers to make the malware that could bypass ASR rules, If the malware can already infect 50% users. That is why Microsoft improves ASR rules rarely and they are still good additional protection to WD.
So basically Configure defender plus ASR rules but without SRP(H_C) won't stop an ATP attack / targeted
But it would stop most malware in the wild 99.97%+ mark?
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
So basically Configure defender plus ASR rules but without SRP(H_C) won't stop an ATP attack / targeted
But it would stop most malware in the wild 99.97%+ mark?
WD set with ConfigureDefender MAX Protection Level will stop/neutralize many APT (Advanced Persistent Threats). Adding SRP (whitelisting) will prevent most APT in the wild in the home environment.
Most commercial solutions with ATP (Advanced Threat Protection) including Microsoft Threat Protection cannot prevent many advanced targeted attacks on enterprises.
 

Vitali Ortzi

Level 19
Verified
WD set with ConfigureDefender MAX Protection Level will stop/neutralize many APT (Advanced Persistent Threats). Adding SRP (whitelisting) will prevent most APT in the wild in the home environment.
Most commercial solutions with ATP (Advanced Threat Protection) including Microsoft Threat Protection cannot prevent many advanced targeted attacks on enterprises.
Anyway how's non consumer windows Enterprise ATP at detection of targeted attacks( I'm referring to the EDR capability ).
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
Anyway how's non consumer windows Enterprise ATP at detection of targeted attacks( I'm referring to the EDR capability ).
It relies also on the human reaction to the incidents reported by Microsoft Threat Protection.
 
Top