App Review Microsoft Defender- Hard to Explain

[Andy Ful]

@cruelsister Can you check if Magniber can bypass SAC in Windows 11 22H2?

SAC can block the Magniber in two ways:

1. It checks MSI files via code integrity.
2. It checks also DLLs loaded by processes via code integrity.

SAC uses file reputation lookup kinda similarly to Comodo (including loaded DLLs). Here is the screenshot after running the Magniber:

SAC uses Applocker events for MSI files similarly to Microsoft Defender Application Control.

 

[Local Host]

Default deny is no standard user protection, so it has no saying in this specific test that is targeted at home users. Microsoft Defender is not detecting anything in default-deny, is simply blocking, and is useless to detect malware.

That type of security is used in companies, where users are intended to have limited rights.

Cracked software also has nothing to do with malware unless you roam fake sources, there are no legit CD-KEY generators in over 20y, we're not in 2000... Cracking methods have long since evolved along with the Software that has Online checks.

Is no news to anyone MD can't protect properly, security comes from common sense, and with enough experience you don't need any AV at all, and MD is not even an option considering how buggy and resource hungry it is (so is not even useful as a paper weight).

 

[Andy Ful]

Microsoft Defender is not detecting anything in default-deny, is simply blocking, and is useless to detect malware.

That is right but needs clarifying.
Microsoft Defender (not paid) cannot be set to (strict) default-deny on the home computers. One can use Windows built-in MDAC or SRP, but in the strict default-deny mode, they can be used without Microsoft Defender (with any AV).

Smart Application Control is a file reputation feature similar to SmartScreen for Explorer but much more comprehensive. It is similar to KIS in @harlan4096 settings (Kaspersky uses KSN and SAC uses Microsoft ISG).
Of course, such a feature is useless to detect malware, but most users do not want to detect malware on their computers. They want to use computers safely.

Anyway, SAC in its current form is hardly useful. Even Defender in ConfigureDefender MAX settings is more user-friendly, and as we know, not many MT members decided to enable it.

Edit.
I think that the proper naming for SAC would be probably "allow list" (or smart-default-deny) instead of default-deny.

 

[Andy Ful]

The worst thing I noticed in SAC is that you can successfully install/update the application and it can be blocked or not fully functional after installation/update. Simply, some executables (usually DLLs) are not properly whitelisted, even if the main installer is allowed by SAC.

 

[wat0114]

..., security comes from common sense, and with enough experience you don't need any AV at all, ...

Good point, I tend to agree with this assertion.

 

[Guilhermesene]

Default deny is no standard user protection, so it has no saying in this specific test that is targeted at home users. Microsoft Defender is not detecting anything in default-deny, is simply blocking, and is useless to detect malware.

A layman question about WD: How do I enable default deny mode in Windows?

 

[Local Host]

That is right but needs clarifying.
Microsoft Defender (not paid) cannot be set to (strict) default-deny on the home computers. One can use Windows built-in MDAC or SRP, but in the strict default-deny mode, they can be used without Microsoft Defender (with any AV).

Smart Application Control is a file reputation feature similar to SmartScreen for Explorer but much more comprehensive. It is similar to KIS in @harlan4096 settings (Kaspersky uses KSN and SAC uses Microsoft ISG).
Of course, such a feature is useless to detect malware, but most users do not want to detect malware on their computers. They want to use computers safely.

Anyway, SAC in its current form is hardly useful. Even Defender in ConfigureDefender MAX settings is more user-friendly, and as we know, not many MT members decided to enable it.

Edit.
I think that the proper naming for SAC would be probably "allow list" (or smart-default-deny) instead of default-deny.

I don't know why SAC, MDAC and SRP are even mentioned, but they are part of Microsoft Defender, Microsoft simply does not limit features to the Anti-Virus module cause they know people like to use third-parties.

You pretty much used AppLocker to block the MSI files that has nothing to do with SAC, is not detecting anything nor is usable for Home Users where you not supposed to have restricted access to the computer like in companies.

That will mess with so much software, is not even considered protection but paranoid.

 

[Andy Ful]

I don't know why SAC, MDAC and SRP are even mentioned, ...

You wrote, "Microsoft Defender is not detecting anything in default-deny, is simply blocking ...".
So, about what default-deny did you think?

You pretty much used AppLocker to block the MSI files that has nothing to do with SAC, ...

Some functionality of Applocker is integrated into SAC and enforced by setting SAC to ON.
SAC is built on MDAC (WDAC) policies (with ISG file lookup), and it logs the events related to MSI files and scripts in the same way as MDAC (WDAC).

A Windows Defender Application Control policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:

• Events about Application Control policy activation and the control of executables, dlls, and drivers appear in Applications and Services logs > Microsoft > Windows > CodeIntegrity > Operational
• Events about the control of MSI installers, scripts, and COM objects appear in Applications and Services logs > Microsoft > Windows > AppLocker > MSI and Script

https://docs.microsoft.com/en-us/wi...der-application-control/event-id-explanations

 

[Local Host]

You wrote, "Microsoft Defender is not detecting anything in default-deny, is simply blocking ...".
So, about what default-deny did you think?



Some functionality of Applocker is integrated into SAC and enforced by setting SAC to ON.
SAC is built on MDAC (WDAC) policies (with ISG file lookup), and it logs the events related to MSI files and scripts in the same way as MDAC (WDAC).


https://docs.microsoft.com/en-us/wi...der-application-control/event-id-explanations

You just reinforcing what I said, as that has nothing to do with SAC, I suggest you read both pages slowly.

This is how you create entries for WDAC.

Microsoft doesn't even supply support for Home Users, this policies are to be used in companies where users don't have rights to install software and are restricted to run specific ones.

You confusing a comparing a feature for companies and another that is for home users, which makes no sense! There a reason you don't have access to the deployment and management tools, which makes configuring all this options extremely easy.

If was on me, Microsoft should remove this from Group Policies and Scripts, so people stop complaining Microsoft doesn't give options and explanations for stuff that isn't for Home Users to touch.

 

[Andy Ful]

@Local Host,

The answer about blocking Magniber by SAC was already answered. I ran the sample on Windows Insider. When SAC was in the evaluation setting, the sample could be executed, and the event was logged just like MDAC (WDAC) logs events when set to Audit mode. With SAC enabled the sample was blocked by SAC (block event logged). After disabling SAC (OFF position), the sample could be successfully executed (no event in the log).

Your posts did not bring here anything useful. If you want to discuss more, please open your own thread.

Edit.
Some more information about SAC is expected soon after the update of the “Signed and Reputable” template in the WDAC wizard that will match the Smart App Control WDAC XML:

 

[Andy Ful]

If someone did not know that SAC is based on MDAC (WDAC), here is an article about it:

Smart App control is limited to Windows 11. Smart App Control does run on a feature called WDAC or Windows Application Control. Application Control essentially allows a user or an IT admin to specify a policy for what apps and essentially all code that runs on the system, both in kernel mode and user mode. So while Smart App Control isn't necessarily available on Windows 10, you can make use of the great app control features as far back as Windows 10. So WDAC or application control is available on Windows 10 and above. There are no hardware or SKU limitations and it also ties into Defender reputation AI in the cloud.

Microsoft Answers Some Windows 11 Security Questions -- Redmondmag.com

Microsoft's coming Windows 11 security improvements, announced last week, may be available for Windows 10 machines as well.

redmondmag.com

That is why SAC can block the Magniber ransomware, as I presented in my posts.

 

[EASTER]

If someone did not know that SAC is based on MDAC (WDAC), here is an article about it:

Microsoft Answers Some Windows 11 Security Questions -- Redmondmag.com

Microsoft's coming Windows 11 security improvements, announced last week, may be available for Windows 10 machines as well.

redmondmag.com

That is why SAC can block the Magniber ransomware, as I presented in my posts.

Useful and interesting read @Andy Ful and thanks for it.

If and it's always a IF when Microsoft makes hints, do you believe this will be added for Windows 10 HOME versions or is it a higher tier they propose to implement it on, that is if they actually do follow through with it for those systems.

 

[Andy Ful]

Useful and interesting read @Andy Ful and thanks for it.

If and it's always a IF when Microsoft makes hints, do you believe this will be added for Windows 10 HOME versions or is it a higher tier they propose to implement it on, that is if they actually do follow through with it for those systems.

Microsft announced that SAC will not be introduced to Windows 10. On Windows 10 Home, one can use similar protection based on MDAC (WDAC). I tested some variants of such protection about two years ago, for example:
https://malwaretips.com/threads/application-control-on-windows-10-home.89753/post-897583
The MDAC (WDAC) policies work on Windows Home, but the binary policy file has to be created on Windows Pro (at least) or downloaded in binary form.

I also noticed that it cannot be user-friendly, so I tried a more friendly solution (based on WDAC and Microsoft Defender ASR rules):
https://malwaretips.com/threads/application-control-on-windows-10-home.89753/post-911371

The problem with protection based on MDAC (WDAC) is the inability of making exclusions for files not allowed by Microsoft ISG (**). This problem and not great ISG allow-listing, makes the idea hardly usable. For example, you can have a working application installed in the system than can became not fully functional or crash just after the update. Anyway, such protection can be applied to the computers that use Microsoft applications, Microsoft Store Apps, and probably also for digitally signed & very popular applications.

(**)
The exclusions can be made by reverse-engineering the WDAC binary policies. I can do it, and I could even make an application that could add such exclusions by changing the WDAC policy file. But, such an application could be recognized by Microsoft as PUA or Hack tool. Furthermore, such an application would be much harder to use than Hard_Configurator with MAX restrictions.

 

[Bumblebee Uncle]

It's just a test made by the youtuber, let's not generalize and believe blindly, this goes the same with av-test and av-comparatives, all with a grain of salt

If you think @cruelsister is just a youtuber, you have not been following her work Learn my child learn

 

[ForgottenSeer 95367]

If you think @cruelsister is just a youtuber, you have not been following her work Learn my child learn

Did you know that following a Youtube tester makes you a Groupie?

The gaggle of adoring, worshipping security enthusiast Pamela Des Barres at the feet of @cruelsister on the security forums has grown to be a tribe. @cruelsister knows how to build a fanbase. And she can probably whip your security fantasies into a frenzy.

 

[Brahman]

 

[likeastar20]

Curious about what AVs can block it, hopefully someone can do some tests

 

[Andy Ful]

The video shows only half of the attack. The attacker has also to deliver a payload to the victim and convince the victim to execute it. The attack can also exploit some vulnerabilities in the victim's environment (mostly in businesses). After execution, the payload connects to the HTTP server which is controlled by the attacker.
I think that some business AVs (with firewalls) could possibly block the reverse shell attack.
The attack from the video can be easily prevented by simple firewall hardening (PowerShell outbound connection restrictions).

This video is very different from the Magniber (MSI version). In the Magniber campaign, many victims could be also home users. The attack in the video is a typical penetration event, related to the business environment. It would be better to use the business version of Defender with settings recommended by Microsoft (ASR rules, firewall rules, enabled policies, etc.).

The free Windows built-in security on default settings is known to be insufficient protection in businesses.

Post edited.

 

[cruelsister]

Although a clever way to inject a payload, far better is to construct a payload that will bypass Defender directly without the need to jump through hoops no matter how cute.