- Feb 25, 2017
- 2,585
Windows Defender Bypassed | The PC Security Channel
- Thread starter Kongo
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Jul 15, 2016
- 321
- Sep 2, 2021
- 2,586
Windows Defender escapes are commonplace.
There was a malware that did this too called MosaicLoader, which created registry keys to put its Payloads in exclusions...
That's why those who are Geek Hardened Windows Defender, but it can be fatal for a novice...
Thanks for the video!
There was a malware that did this too called MosaicLoader, which created registry keys to put its Payloads in exclusions...
That's why those who are Geek Hardened Windows Defender, but it can be fatal for a novice...
Thanks for the video!
- Mar 16, 2019
- 3,862
If I remember correctly, this method already didn't work in Windows 11 when it was discovered by a security person who shared it on Twitter.
But according to this video it still works in Windows 10 which is very surprising
But according to this video it still works in Windows 10 which is very surprising
- Mar 29, 2018
- 7,596
- Nov 26, 2017
- 728
- Apr 5, 2021
- 619
Good one. I temporarily unblocked PS Sponsors from H_C SRP rules, and launched it as user:
I'm not sure, but doesn't PS run in Constrained Language mode defeat this kind of attack as well?
- Dec 23, 2014
- 8,484
This is probably the worst of Leo's videos.
First, this video does not show any difference between Windows 10 and 11. Simply Leo did not notice that on Windows 10 the PowerShell was executed with high privileges and on Windows 11 with standard privileges.
In fact, both on Windows 10 and 11 the query will fail with standard privileges.
So, the innocent (not really malicious) trojan downloader cannot get the information about Defender's exclusions. Everyone can check it on their own computer with Windows 10.
Gathering the information about Defender's exclusions can be done only if the malware could first get high privileges. So if the system is compromised with high privileges, then exclusions can be used to get persistence. Of course, in this case, the malware can simply add the exclusion (does not need to read the exclusions).
First, this video does not show any difference between Windows 10 and 11. Simply Leo did not notice that on Windows 10 the PowerShell was executed with high privileges and on Windows 11 with standard privileges.
In fact, both on Windows 10 and 11 the query will fail with standard privileges.
So, the innocent (not really malicious) trojan downloader cannot get the information about Defender's exclusions. Everyone can check it on their own computer with Windows 10.
Gathering the information about Defender's exclusions can be done only if the malware could first get high privileges. So if the system is compromised with high privileges, then exclusions can be used to get persistence. Of course, in this case, the malware can simply add the exclusion (does not need to read the exclusions).
No
Leo is not concerned with covering details in-depth. He just wants short-and-fast videos as opposed to long thorough videos. His target audience is neophytes and not enthusiasts.This is probably the worst of Leo's videos.
First, this video does not show any difference between Windows 10 and 11. Simply Leo did not notice that on Windows 10 the PowerShell was executed with high privileges and on Windows 11 with standard privileges.
- Dec 7, 2021
- 540
His videos are always entertaining nevertheless
- Dec 23, 2014
- 8,484
if Leo would make his video several months ago and would use standard rights (instead of high privileges) to query for Defender's exclusions, then the video would be OK. In the year 2021, this attack vector was not covered by Microsoft (it has been patched several months ago).
But in his current video, he wrongly informs users that the vulnerability that was patched several months ago is still present.
You might say that he intentionally used high privileges to read the exclusions, but then the video does not make sense at all.
- Dec 23, 2014
- 8,484
Yes and No.
The attack presented in the video does not make sense in the year 2022, so let's go back to the year 2021 (before patching the vulnerability) and let's perform it correctly by using standard rights.
The attack is based on using a trojan downloader (PowerShell script) to query for the exclusions and download the malware. It is true that the script could read the exclusions, but in most cases, the malware download would be blocked by Constrained Language Mode.
Edit.
I do not think that Leo intentionally made his video to misguide the Defender users. He simply does not like Defender, and was not sufficiently objective to recognize his error.
Last edited:
- Dec 23, 2014
- 8,484
H_C can fully block this attack in the Recommended_Settings, except when something is exploited and a special (rarely used in the wild) PowerShell CmdLine is executed. In most cases, such attacks will be blocked by Constrained Language Mode or FirewallHardening. I know only one technique that could bypass this protection, but it is used very rarely and not in the widespread attacks on home users.
What about Simple Windows Hardening?
- Dec 23, 2014
- 8,484
The script restrictions are the same as for the H_C.
This is a Windows Defender bypass, not a UAC bypass, so it applies regardless of what Andy thinks of malware having admin rights. Ignoring the fact what is using admin rights is not even malware, but is a valid command Windows accepts (which is the concern here).
But honestly, there are way easier ways to get rid of Windows Defender, and most malware is ready for it, due to being default on Windows. Windows Defender will only save you from old and detected malware.
There more than enough tests incl. in our own Malware Hub that prove that.
But honestly, there are way easier ways to get rid of Windows Defender, and most malware is ready for it, due to being default on Windows. Windows Defender will only save you from old and detected malware.
There more than enough tests incl. in our own Malware Hub that prove that.
Last edited:
- Dec 23, 2014
- 8,484
Your post does not make sense to me. If the innocent-looking malware wants to read exclusions on a home computer then it must elevate. If not, then the attack will fail just like Leo showed for Windows 11. Microsoft fixed the issue several months ago and the behavior on Windows 10 is (and was) the same as on Windows 11. Leo made a mistake in his test, so he thought that the behavior is different on Windows 10 and Windows 11.
Edit1.
I skipped the trolling part of your post. It does not deserve attention.
Last edited:
Windows Defender has comprehensive protection against zero days, using local and in-the-cloud AI powered machine learning, reputation based analysis, behavioral analysis and its patended AMSI, latter of which almost all third party antiviruses use to detect malicious scripts, the trick to detecting the newest malware is keeping the Security Intelligence up go date as Microsoft is pretty quick to uncover new campaigns due to having acess to the largest amount of threat telemetry.
People who dont use common sense are the ones not ready for the newer generations of malware, simply because they think AV provides 100% protection and either dont care or dont know to take cyberthreats seriously
Last edited:
- Aug 16, 2021
- 232
Similar threads
