App Review Microsoft Defender's challenge.

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
wat0114 said:
Andy,

I don't suppose you could provide a basic flowchart of this bypass, without of course revealing details on how it works? :whistle:
Click to expand...

That's right. My videos intend to show that generally the AV protection can be bypassed, assuming that the attacker has already got high privileges.
My intention was not to focus on explaining how to do it and what can happen next.
Of course, "what can happen next" must also be discussed to understand why one should focus on how to prevent it. :)
At home, "what can happen next" is a minor problem compared to "how to prevent malware, especially the elevated one".

Edit.
In Enterprises, "what can happen next" becomes an important problem. It is hardly possible to prevent security breaches.
The videos are also examples of why in an Enterprise environment, the AV should be a piece of more complex security.
 
Last edited:
  • +Reputation
  • Like
Reactions: SeriousHoax, simmerskool, Trident and 1 other person
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Andy Ful said:
In Enterprises, "what can happen next" becomes an important problem. It is hardly possible to prevent security breaches.
The videos are also examples of why in an Enterprise environment, the AV should be a piece of more complex security
Click to expand...
More complex security such as user rights management, network segmentation, email security, encryption, IPS and others. But disabling EDR/XDR will be a huge issue as many times, it is the central point of all integrations and monitoring. Common LOLBins should definitely be blocked from executing.
 
  • Like
  • +Reputation
Reactions: simmerskool and Andy Ful
Practical Response

Practical Response

Level 7
Mar 10, 2024
339
Andy Ful said:
Edit.
In Enterprises, "what can happen next" becomes an important problem. It is hardly possible to prevent security breaches.
The videos are also examples of why in an Enterprise environment, the AV should be a piece of more complex security.
Click to expand...
To be fair in enterprise, it hinges on a few factors actually, from the company willing to allocate enough funding to the IT department to taking time down to accurately patch/secure, servers/networks and devices to controlling the devices with standard accounts and Admin oversight, to employee training on social engineering.

Most breaches happen from unpatched vulnerabilities or tricked social engineering, both of which can be minimized with proper handling.
 
  • Like
Reactions: harlan4096, simmerskool, Andy Ful and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
Trident said:
More complex security such as user rights management, network segmentation, email security, encryption, IPS and others. But disabling EDR/XDR will be a huge issue as many times, it is the central point of all integrations and monitoring. Common LOLBins should definitely be blocked from executing.
Click to expand...

All "possible" layers should be applied. By "possible", I mean also usable in daily work.
 
  • Like
Reactions: simmerskool and Trident
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
Practical Response said:
Most breaches happen from unpatched vulnerabilities or tricked social engineering, both of which can be minimized with proper handling.
Click to expand...

The problem is that minimizing is usually not enough, for several reasons. In practice, one must assume a breach to happen and be prepared to minimize the impact of the breach.
 
  • Like
  • +Reputation
Reactions: simmerskool, Practical Response and Trident
Practical Response

Practical Response

Level 7
Mar 10, 2024
339
Andy Ful said:
The problem is that minimizing is usually not enough, for several reasons. In practice, one must assume a breach to happen and be prepared to minimize the impact of the breach.
Click to expand...
Absolutely agree on preparations. The main problem is if determined enough as you pointed out things can still happen, regardless, a skilled breach may take effect. Off setting these are offline backups, segmented networks, intranets, many aspects of which can be deployed, but require the companies to be willing to take their security seriously. That latter part is usually the issue, the companies do not wish to allocate the necessary funds to harden a network for its business.
 
  • Like
  • Wow
Reactions: harlan4096, Virtuoso, Andy Ful and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
LennyFox said:
Would be interesting to know whether DefenderUI's DefenderGuard would warn when @Andy Ful POC disables the Defender Service. When it did and it would re-enable Defender service there would be a benefit of using DUI over ConfigureDefender (@oldschool).
Click to expand...

Re-enabling the Defender service will fail.
 
  • +Reputation
  • Thanks
  • Like
Reactions: LennyFox, simmerskool and ErzCrz
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
I contacted with Microsoft via Researcher Portal:

1711970270176.png
 

Attachments

  • 1711970057517.png
    1711970057517.png
    64.2 KB · Views: 50
  • Like
  • +Reputation
  • Applause
Reactions: SeriousHoax, Virtuoso, toto_10 and 13 others

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus with Andy Ful WHHLight
Replies
38
Views
3,914
Video Reviews - Security and Privacy
LennyFox
L
Andy Ful
    • +Reputation
    • Like
    • Thanks
App Review Comodo's challenge part 2.
Replies
54
Views
2,958
Video Reviews - Security and Privacy
Andy Ful
Andy Ful
vtqhtr413
    • Like
Technology Intel Game On driver Boosts performance, adds support for 4 new titles
Replies
0
Views
157
Technology News
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top