Malware Analysis Bypass Windows Defender Attack Surface Reduction

SeriousHoax

Level 47
Thread author
Well-known
Mar 16, 2019
3,630
Looks like all the Windows Defender ASR mitigations have been bypassed in this test one way or another ☹
This is disappointing and shows that Microsoft needs to step up and patch this loopholes.
The test was done in February 2019 so don't know if Microsoft has fixed this issues by now or not 🤔
1.PNG


Read the full report here
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
I believe I came across this some time ago, maybe via a link @ Wilders. It reaffirms the inherent danger of using vulnerable applications like M$ Office, attachments, infected USB drives, etc. Also social engineering. I suppose anything can be bypassed so I'm not too concerned.
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
We talked a little about this paper one year ago:

Here is also a video :) (y):


I participated in this discussion and completely forgot about it. Thanks for refreshing my memory! It doesn’t help the memory to have two small children and fireworks going off all night outside.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
If not, there are going to be many, many millions wanting to know why not?!!
There is nothing especially difficult in bypassing ASR rules. Anyway, they are very useful against the common 0-day malware in the wild as the WD support.
From my experience, these rules were improved by Microsoft. Before reading this article I bypassed some of these rules + WD by several scripts. Now, many of these bypasses (but not all) are detected by WD or blocked by ASR. It is possible that Microsoft uses ASR rules to block the popular attacks that are hard to detect by WD.
 
Last edited:

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Is it known if Microsoft took any steps to fix these mitigations after the 2019 disclosures in the https://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf ?
Microsoft improves these rules only if there were malware in the wild that could bypass WD + ASR rules. They probably did not fix anything after reading this article. They already knew that these rules could be bypassed in many ways, before some of the bypasses were shown publicly by Emeric Masi.(y)
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Microsoft improves these rules only if there were malware in the wild that could bypass WD + ASR rules. They probably did not fix anything after reading this article. They already knew that these rules could be bypassed in many ways, before some of the bypasses were shown publicly by Emeric Masi.(y)
Indeed. Everyone can relax instead of rushing to switch to the illusory "best" AV or whatever is in fashion. It's a beautiful summer day. Enjoy!
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
rushing to switch to the illusory "best" AV

Nah, I'm all switched out.

It's a beautiful summer day.
Lucky you, its been grey and like living in the clouds - wet, not surrounded by backed-up files all day here - with 40 mph winds. Having said that, we've had some great summer days so far this year. That is why I'm on MT a lot today...oopps.. meant to say I'm here for all the wonderful shared IT knowledge!
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
There is maybe 1% (probably less) of Windows users who applied ASR rules. It is not worthy for the attackers to make the malware that could bypass ASR rules, If the malware can already infect 50% users. That is why Microsoft improves ASR rules rarely and they are still good additional protection to WD.
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
There is maybe 1% (probably less) of Windows users who applied ASR rules. It is not worthy for the attackers to make the malware that could bypass ASR rules, If the malware can already infect 50% users. That is why Microsoft improves ASR rules rarely and they are still good additional protection to WD.
So basically Configure defender plus ASR rules but without SRP(H_C) won't stop an ATP attack / targeted
But it would stop most malware in the wild 99.97%+ mark?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
So basically Configure defender plus ASR rules but without SRP(H_C) won't stop an ATP attack / targeted
But it would stop most malware in the wild 99.97%+ mark?
WD set with ConfigureDefender MAX Protection Level will stop/neutralize many APT (Advanced Persistent Threats). Adding SRP (whitelisting) will prevent most APT in the wild in the home environment.
Most commercial solutions with ATP (Advanced Threat Protection) including Microsoft Threat Protection cannot prevent many advanced targeted attacks on enterprises.
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
WD set with ConfigureDefender MAX Protection Level will stop/neutralize many APT (Advanced Persistent Threats). Adding SRP (whitelisting) will prevent most APT in the wild in the home environment.
Most commercial solutions with ATP (Advanced Threat Protection) including Microsoft Threat Protection cannot prevent many advanced targeted attacks on enterprises.
Anyway how's non consumer windows Enterprise ATP at detection of targeted attacks( I'm referring to the EDR capability ).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Anyway how's non consumer windows Enterprise ATP at detection of targeted attacks( I'm referring to the EDR capability ).
It relies also on the human reaction to the incidents reported by Microsoft Threat Protection.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
There are some misunderstadings about ASR rules, they are not meant to be silver bullets against malware, similar to anti-exploit techniques, the reason is to make the attack process harder and more expensive for malware creators.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top