DDE_Server

Level 8
Attackers relentlessly up their game in bypassing security, either by using evasive techniques or, in the case of sophisticated threats like the fileless campaign Nodersok or the banking Trojan Trickbot, by attempting to disable Windows Defender Antivirus. Attackers go after real-time protection settings like OnAccessProtection policies, try to stop the Windows Defender Antivirus service, or attempt to turn off behavior monitoring and script scanning. In essence, attackers try to break the shield and take down the features that effectively work at stopping them.

One of the innovative ways in which we have hardened our solutions against these kinds of attacks is through tamper protection, a new feature designed to protect against malicious and unauthorized changes to security features, ensuring that endpoint security doesn’t go down. Earlier this year, we rolled out this feature to Windows Insiders and have been working closely with customers on developing the capability.

Today, we are excited to announce that tamper protection is now generally available!

Tamper protection prevents unwanted changes to security settings on devices. With this protection in place, customers can mitigate malware and threats that attempt to disable security protection features. Here are some examples of services and settings that are protected from modification, either by local admins or by malicious applications:

  1. Real-time protection, which is the core antimalware scanning feature of Microsoft Defender ATP next generation protection and should rarely, if ever, be disabled
  2. Cloud-delivered protection, which uses our cloud-based detection and prevention services to block never-before-seen malware within seconds
  3. IOAV (IE Downloads and Outlook Express Attachments initiated), which handles the detection of suspicious files from the Internet
  4. Behavior monitoring, which works with real-time protection to analyze and determine whether active processes are behaving in a suspicious or malicious way, and then blocks them
  5. Security intelligence updates, which Windows Defender Antivirus uses to detect the latest threats

The development of this feature is a result of our extensive research into the evolving threat landscape and attack patterns, along with consistent engagement with and feedback from customers and partners. The lack of visibility of tampering attempts at various levels can make it difficult to mitigate sophisticated threats. Customer feedback on deployment and other aspects of the feature were critical in our journey towards today’s GA. Here’s what some of these customers say about tamper protection:

“Tamper protection is a critical feature for us as we need to defend Microsoft Defender ATP to ensure that malicious actions are not going around our security platforms. While complex behind the scenes, Microsoft has made it extremely easy for us to configure and deploy through Microsoft Intune and allow our SecOps team visibility into any potential tampering events so we can further investigate and remediate.” – Rich Lilly, Partner | Associate Director, Netrixllc

“Microsoft’s new tamper protection feature ensures that Lexipol endpoints remain secured and in compliance by protecting against both malicious and accidental changes to Microsoft Defender ATP’s security settings. With Microsoft Intune, managed endpoints outside of the corporate VPN can be reached with ease and the inclusion of tamper protection settings in Microsoft Intune policies has greatly simplified the deployment of this critical security feature. The combination of tamper protection and Microsoft Intune increases Lexipol’s security posture while reducing the complexity of monitoring for compliance.” – Patrick Sudderth, Director of Information Technology, Lexipol


Enabling tamper protection for enterprises through Microsoft Intune

Tamper protection can be deployed and managed centrally – and securely – through Microsoft Intune, similar to how other endpoint security settings are managed. The feature can be enabled for the entire organization, or through device and user groups.

Intune.png



We designed deployment to be secure. We partnered with Microsoft Intune to build a secure channel to light up this feature. In this release, any changes to the tamper protection state may only be made through Microsoft Intune, not through any other methods like group policy, registry key, or WMI. Integration with other management channels will be prioritized based on customer demand.

When an administrator enables the policy in Microsoft Intune, the tamper protection policy is digitally signed in the backend before it’s sent to endpoints. The endpoint verifies the validity and intent, establishing that it is a signed package that only security operations personnel with Microsoft Intune admin rights can control. With the right level of reporting, security operations teams are empowered to detect any irregularities.

Flow.png





Once the feature is enabled by administrators, users will see tamper protection turned on:
tp_ent.PNG




To learn more, see Protect security settings with tamper protection.

Reporting and hunting for tampering attempts across organizations

When a tampering attempt is detected on endpoints, an alert is raised in Microsoft Defender Security Center. Using the rich endpoint and detection response capabilities in Microsoft Defender ATP, security operations teams can investigate and resolve these attempts.

alert.png





Tampering attempts typically indicate bigger cyberattacks where threat actors change security settings as a way to persist and stay undetected. With reporting and advanced hunting capabilities in Microsoft Defender ATP, security operations teams can hunt for tampering attacks in organizations. This empowers SecOps to detect such attacks, investigate using the rich tooling provided by Microsoft Defender ATP, and respond to and stop cyberattacks.

We’re also working on reporting device status on Threat and Vulnerability Management. This feature will be available in near future.

Tamper protection enabled by default for home users

For home users, tamper protection will be enabled by default to automatically increase defenses against attacks. We’re currently turning on the feature gradually; some customers will start seeing the setting on their devices. Customers can use the Windows Security app to review or change tamper protection settings and turn the feature on manually.




consumer.PNG



We believe it’s critical for customers, across home users and commercial customers, to turn on tamper protection to ensure that essential security solutions are not circumvented. We will continue working on this feature, including building support for older Windows versions. We’ll announce these enhancements when they become available, so watch the Microsoft Defender ATP community. In the meantime, enable tamper protection today and give us feedback.
The article link :
 

Umbra

Level 10
Verified
MS dudes are funny, waiting WD being bypassed to implement what should have been done from the start...and now they promote it as an awesome feature... ROFL.
If you develop a security soft, first thing you do is to protect it from being disabled by an attacker, if you can't, go find another job. Lol.
As if you install a CCTV in your backyard powered via a cable plugged to an external outlet lol.
 

notabot

Level 14
Now let's see Microsoft's commitment to open standards, I'm sure they will open up the protocol, communicate the communication proto or schema so that we're not locked down to MS-only services, which would not be aligned with their strategy to be committed to open standards, right ?
 

Rijndael

Level 1
waiting WD being bypassed to implement what should have been done from the start...and now they promote it as an awesome feature...
:ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO: Totally agree


It is a shame that until recently simply by modifying a registry key you could disable WD.
The funny thing is that although this key can only be modified by accounts with admin rights, Windows has a large number of bugs that allow an attacker to easily bypass UAC and escalate privileges.
 

Umbra

Level 10
Verified
:ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO::ROFLMAO: Totally agree


It is a shame that until recently simply by modifying a registry key you could disable WD.
The funny thing is that although this key can only be modified by accounts with admin rights, Windows has a large number of bugs that allow an attacker to easily bypass UAC and escalate privileges.
Indeed and some aren't even bugs, they are just vulnerabilities by design. There is so many lateral moves to get privileges escalations.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Worrying about turning off the AV after accessing by the malware the admin rights is like worrying about the size of the casket after your death.:alien:

It is normal to think about strong AV self-protection, but far more important is preventing the malware from accessing admin rights. If the malware can run as admin, then it can be prepared to dismantle any protection on Windows.
I suspect that most people do not worry as much about UAC bypassing, as about turning off the AV.:unsure:
 

notabot

Level 14
Microsoft does not consider UAC a security boundary btw:

 

Rijndael

Level 1
Indeed and some aren't even bugs, they are just vulnerabilities by design. There is so many lateral moves to get privileges escalations.
Exactly! There are even ways, by design, to bypass AppLocker (with macros and by calling certain WinApi functions with specific parameters. A hotfix exists, but you have to install it manually :emoji_sob:).



Worrying about turning off the AV after accessing by the malware the admin rights is like worrying about the size of the casket after your death.
:ROFLMAO::ROFLMAO:
A very funny simile and it is true in most simple infections but disabling the antivirus can be interesting from the point of view of a malware writer. Almost automatically I came up with the following example:

Malware Design

Downloader.exe
Size 10-30 kb
Functions: Download File, Save File on disk, Run File, Disable WD (Registry access)
It does not call Windows API functions that can trigger WD radars
The odds of being detected as malware are low
Only detectable using file reputation services

Malware.exe
Size 50+ kb
Lots of malware related Windows API calls - Malicious Behavior
High odds of being detected by ML, heuristics...


Attack scheme

Downloader -> Disable WD -> Download Malware.exe -> Run Malware.exe
WD will never see Malware,exe


Disabling WD before the malware infects the PC also prevents malicious code from being sent to analysis systems in the WD Cloud.
 

Nightwalker

Level 17
Verified
Content Creator
Worrying about turning off the AV after accessing by the malware the admin rights is like worrying about the size of the casket after your death.:alien:

It is normal to think about strong AV self-protection, but far more important is preventing the malware from accessing admin rights. If the malware can run as admin, then it can be prepared to dismantle any protection on Windows.
I suspect that most people do not worry as much about UAC bypassing, as about turning off the AV.:unsure:
Exactly, thanks again for your insights, it is very much appreciated.

I don't know why some security forum users are so fixed in antivirus self defense, local/admin bypass, malware cutting the cloud connection and so on; wake up folks, if the malware has already executed or got admin/local access, you are already doomed, the end.
 

Burrito

Level 21
Verified
1571346951516.png


When I was hit by ransomware, and it wiped out a network of computers, the first thing I thought was..... "Hmmmm, I wonder if my antivirus self-defense was bypassed.

When I was hit by ransomware, and it wiped out a network of computers, the first thing I thought was..... "Hmmmm, I wonder if my antivirus self-defense was bypassed.
1571348011399.png


I'm glad you understand the humor @Nightwalker & others.. :giggle:

Subtle humor with different native languages involved can be tricky..
 

Nightwalker

Level 17
Verified
Content Creator
View attachment 227803

I'm glad you understand the humor @Nightwalker & others.. :giggle:

Subtle humor with different native languages involved can be tricky..
Well, to be fair English is a much more simple language to learn compared to Portuguese/Spanish/French and by no means I am criticizing it, I really like how everything works without too much redundancy or complexity and how nice it is for music is a huge bonus too.

Feitas estas considerações, devo dizer que a língua Portuguesa é absurdamente redundante e cheia de complexidades inúteis; vocês falante nativos da língua Inglesa (britânica ou estadunidense) não precisam se preocupar com acentuação, crases, tremas, diferenças de uso entre os "porques", diferenças de uso entre "mau" e mal", "mas" e "mais", "haja vista" e "haja visto", ditongo, tritongo, hiato, dígrafo e etc.

Ademais, não precisam lidar com a questão da diglossia, a qual dificulta de forma exacerbada que um estrangeiro tenha domínio da versão culta/formal do idioma.

A versão "falada" do Português não é de difícil acesso, é possível aprender em um período razoavelmente curto de tempo, porém a versão escrita e formal é bem inacessível, inclusive para uma grande parcela da população que sofre com um sistema de ensino medíocre.
 
Last edited:

Andy Ful

Level 49
Verified
Trusted
Content Creator
...
:ROFLMAO::ROFLMAO:
A very funny simile and it is true in most simple infections but disabling the antivirus can be interesting from the point of view of a malware writer. Almost automatically I came up with the following example:

Malware Design

Downloader.exe
Size 10-30 kb
Functions: Download File, Save File on disk, Run File, Disable WD (Registry access)
It does not call Windows API functions that can trigger WD radars
The odds of being detected as malware are low
Only detectable using file reputation services

Malware.exe
Size 50+ kb
Lots of malware related Windows API calls - Malicious Behavior
High odds of being detected by ML, heuristics...


Attack scheme

Downloader -> Disable WD -> Download Malware.exe -> Run Malware.exe
WD will never see Malware,exe


Disabling WD before the malware infects the PC also prevents malicious code from being sent to analysis systems in the WD Cloud.
Disabling AV can be interesting for the malc0ders, but far more interesting for them is accessing Admin rights. All of the above examples require Admin rights.
Most attacks will not disable the AV protection after accessing admin rights, and they will be still very dangerous. So, the primary concern should be about malware accessing Admin rights and not about AV self-protection (which is also important but not so important).

By the way, these examples could work well some time ago. Now, most of them can be detected (in theory) by WD post-execution detection.
We will see if these new features will be as efficient as in the case of some other AVs.
 
Last edited:

Nightwalker

Level 17
Verified
Content Creator
In my opinion security is not linear, but must be implemented by levels.
I like security, that's why I care about it .
Personally I dont care too much about stuff that doesnt matter in a real life scenario usage.

It is not necessary to break the antivirus self-defense to infiltrate the system, but it can be done by a motivated attacker anyway:


If a malware has successfully executed and obtained admin access, it is already over, there is no reason to bother with the antivirus at all, but if the initial payload execution is denied in the first place (Windows Defender can do that) the self-defense has no utility.

By no means tamper protection is useless, but it is highly overrated in keeping the system protected.
 

Rijndael

Level 1
more interesting for them is accessing Admin rights
Sorry, I forgot to add to "bypass UAC function" to the Downloader (that we should not worry about;))

It is not necessary to break the antivirus self-defense
No It is not necessary to break the antivirus self-defense, but it is necessary for an AV to have self-defense mechanisms.

If a malware has successfully executed and obtained admin access, it is already over, there is no reason to bother with the antivirus at all
In my previous example malware only runs when the AV is disabled, because it is a requirement to prevent the AV from detecting the malware using ML, Heuristics...