App Review Microsoft Defender's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
wat0114 said:
Andy,

I don't suppose you could provide a basic flowchart of this bypass, without of course revealing details on how it works? :whistle:
Click to expand...

That's right. My videos intend to show that generally the AV protection can be bypassed, assuming that the attacker has already got high privileges.
My intention was not to focus on explaining how to do it and what can happen next.
Of course, "what can happen next" must also be discussed to understand why one should focus on how to prevent it. :)
At home, "what can happen next" is a minor problem compared to "how to prevent malware, especially the elevated one".

Edit.
In Enterprises, "what can happen next" becomes an important problem. It is hardly possible to prevent security breaches.
The videos are also examples of why in an Enterprise environment, the AV should be a piece of more complex security.
 
Last edited:
  • Like
  • +Reputation
Reactions: Jonny Quest, SeriousHoax, simmerskool and 2 others
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Andy Ful said:
In Enterprises, "what can happen next" becomes an important problem. It is hardly possible to prevent security breaches.
The videos are also examples of why in an Enterprise environment, the AV should be a piece of more complex security
Click to expand...
More complex security such as user rights management, network segmentation, email security, encryption, IPS and others. But disabling EDR/XDR will be a huge issue as many times, it is the central point of all integrations and monitoring. Common LOLBins should definitely be blocked from executing.
 
  • Like
  • +Reputation
Reactions: simmerskool and Andy Ful
F

ForgottenSeer 109138

Andy Ful said:
Edit.
In Enterprises, "what can happen next" becomes an important problem. It is hardly possible to prevent security breaches.
The videos are also examples of why in an Enterprise environment, the AV should be a piece of more complex security.
Click to expand...
To be fair in enterprise, it hinges on a few factors actually, from the company willing to allocate enough funding to the IT department to taking time down to accurately patch/secure, servers/networks and devices to controlling the devices with standard accounts and Admin oversight, to employee training on social engineering.

Most breaches happen from unpatched vulnerabilities or tricked social engineering, both of which can be minimized with proper handling.
 
  • Like
Reactions: harlan4096, simmerskool, Andy Ful and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Trident said:
More complex security such as user rights management, network segmentation, email security, encryption, IPS and others. But disabling EDR/XDR will be a huge issue as many times, it is the central point of all integrations and monitoring. Common LOLBins should definitely be blocked from executing.
Click to expand...

All "possible" layers should be applied. By "possible", I mean also usable in daily work.
 
  • Like
Reactions: simmerskool and Trident
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Practical Response said:
Most breaches happen from unpatched vulnerabilities or tricked social engineering, both of which can be minimized with proper handling.
Click to expand...

The problem is that minimizing is usually not enough, for several reasons. In practice, one must assume a breach to happen and be prepared to minimize the impact of the breach.
 
  • Like
  • +Reputation
Reactions: simmerskool, ForgottenSeer 109138 and Trident
F

ForgottenSeer 109138

Andy Ful said:
The problem is that minimizing is usually not enough, for several reasons. In practice, one must assume a breach to happen and be prepared to minimize the impact of the breach.
Click to expand...
Absolutely agree on preparations. The main problem is if determined enough as you pointed out things can still happen, regardless, a skilled breach may take effect. Off setting these are offline backups, segmented networks, intranets, many aspects of which can be deployed, but require the companies to be willing to take their security seriously. That latter part is usually the issue, the companies do not wish to allocate the necessary funds to harden a network for its business.
 
  • Like
  • Wow
Reactions: harlan4096, Virtuoso, Andy Ful and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
LennyFox said:
Would be interesting to know whether DefenderUI's DefenderGuard would warn when @Andy Ful POC disables the Defender Service. When it did and it would re-enable Defender service there would be a benefit of using DUI over ConfigureDefender (@oldschool).
Click to expand...

Re-enabling the Defender service will fail.
 
  • +Reputation
  • Thanks
  • Like
Reactions: ForgottenSeer 107474, simmerskool and ErzCrz
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
I contacted with Microsoft via Researcher Portal:

1711970270176.png
 

Attachments

  • 1711970057517.png
    1711970057517.png
    64.2 KB · Views: 91
  • Like
  • +Reputation
  • Applause
Reactions: SeriousHoax, Virtuoso, toto_10 and 13 others

Similar threads

Andy Ful
    • +Reputation
    • Like
App Review BYOVD attack - CIS case
Replies
14
Views
639
Video Reviews - Security and Privacy
simmerskool
simmerskool
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,674
Video Reviews - Security and Privacy
tofargone
tofargone
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)
Replies
34
Views
3,801
Video Reviews - Security and Privacy
lokamoka820
lokamoka820

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top