Andy Ful

Level 44
Verified
Trusted
Content Creator
My general impression is that if someone specifically crafts malware to bypass ASR, he might succeed, but regular malware will be blocked.
That was the author's (and my) conclusion too.:giggle:
I can bypass ASR rules by myself, so why not others. The author is very good at bypassing Windows security. A few bypasses were new to me.

Edit.
I read this article and watched a video (thank to @enemyofarsenic) two months ago. :giggle:
Most bypasses use scripts or VBA macros, so can be prevented by H_C.
 
Last edited:

blackice

Level 7
My question is if the average malware coder would bother since most people don’t even know how to turn ASR on or off in the security center, at least at home. Minimal effort for biggest return. I would hope most enterprises do it as part of their standard system image. But enterprise focused malware is a whole different beast. But I guess we here are concerned beyond the average malware coder.
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
This article can be summed up by two author citations:

My opinion is that with ASR, Microsoft attempt to shut down whole category of phishing exploits.
For example, the rule “Block all Office applications from creating child processes” probably block 99.9% macro-based droppers found in the wild.
.....
.....
I think ASR are a great feature to prevent common malware attacks. At the same time, most rules seem broken or way too easy to bypass. In fact, during my tests I can say I had more problems with bypassing AMSI for scripts/office documents than ASR.
Currently, ASR is not well known by blue teams. Its probable that as more defenders adopt these measures, attackers will adapt their tools to bypass them.
 
Last edited:

askalan

Level 16
Verified
Malware Hunter
I want to add a ConfigureDefender section to the Hard_Configurator home page because ConfigureDefender is an important part of H_C. But I'm still missing a text/phrase. @Andy Ful @shmu26 @oldschool

A section with the test results from the Hub (H_C tweaks and SmartScreen without any AV as usual) will be added later. Any help or advice (EDIT: changed tip to advice perhaps of confusion) is welcome! (maybe an extra FAQ?)
 

Attachments

Last edited: