App Review Windows Defender Bypassed | The PC Security Channel

[Andy Ful]

But honestly, there are way easier ways to get rid of Windows Defender, ...

There are, but blocked by Defender with enabled Tamper Protection (default setting).

Malware Alert - QBot now pushes Black Basta ransomware in bot-powered attacks

The Black Basta ransomware gang has partnered with the QBot malware operation to gain initial access to corporate environments. QBot (QuakBot) is Windows malware that steals bank credentials, Windows domain credentials, and delivers further malware payloads on infected devices. Victims usually...

malwaretips.com

 

[eonline]

I know only one technique that could bypass this protection, but it is used very rarely and not in the widespread attacks on home users.

I would be glad to know what that technique looks like and how to mitigate it. Thank you so much for always sharing your knowledge.

 

[Local Host]

Your post does not make sense to me. If the innocent-looking malware wants to read exclusions on a home computer then it must elevate. If not, then the attack will fail just like Leo showed for Windows 11. Microsoft fixed the issue several months ago and the behavior on Windows 10 is (and was) the same as on Windows 11. Leo made a mistake in his test, so he thought that the behavior is different on Windows 10 and Windows 11.

Edit1.
I skipped the trolling part of your post. It does not deserve attention.

You don't need to be elevated to read WD Exclusions, nor was this ever about reading WD Exclusions, but about writting (both of which entirely different).

Windows Defender has comprehensive protection against zero days, using local and in-the-cloud AI powered machine learning, reputation based analysis, behavioral analysis and its patended AMSI, latter of which almost all third party antiviruses use to detect malicious scripts, the trick to detecting the newest malware is keeping the Security Intelligence up go date as Microsoft is pretty quick to uncover new campaigns due to having acess to the largest amount of threat telemetry.

People who dont use common sense are the ones not ready for the newer generations of malware, simply because they think AV provides 100% protection and either dont care or dont know to take cyberthreats seriously

I see you not even aware the Cloud is delayed for Home Users, reputation is useless on default settings. As for AMSI is just an API that isn't going to detect anything, not to mention most AV suites are weak against scripts.

There are, but blocked by Defender with enabled Tamper Protection (default setting).

Malware Alert - QBot now pushes Black Basta ransomware in bot-powered attacks

The Black Basta ransomware gang has partnered with the QBot malware operation to gain initial access to corporate environments. QBot (QuakBot) is Windows malware that steals bank credentials, Windows domain credentials, and delivers further malware payloads on infected devices. Victims usually...

malwaretips.com

Tamper protection is useless, as the settings are only reverted after restart, by then the damage is done.

You sharing an extremely poor attempt of trying to bypass WD, your problem is you limited and using extremely basic functions from CMD and Powershell, instead of actually trying to exploit the Windows APIs.

 

[ForgottenSeer 69673]

I was wondering if changing the default profile from powershell to Azure Cloud Shell would help with some of these attacks?

 

[ScandinavianFish]

I see you not even aware the Cloud is delayed for Home Users, reputation is useless on default settings. As for AMSI is just an API that isn't going to detect anything, not to mention most AV suites are weak against scripts.

What in the world is "delayed" supposed to mean? if Windows Defender can detect an file thats not in the cloud it still can detect stuff using the cloud, it simply increase resource usage and puts unknown files in timeout for 60 seconds or less, depending how you have the Cloud Check Time Limit configured, in the end the cloud is there for usability and not getting in the way of the user.

Reputation based detection is the same on any configuration of WD, except if the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" is enabled and has significantly improved Defender's ability to detect things like PUP's, riskware, hacktools, cryptominers, etc, all based on reputation.

AMSI simply is poorly implemented in most AV's, except for a few which I have witnessed myself when testing AV's against malware, not to mention a lot of them have independent technologies to detect malicious scripts, and finally almost all AV'ss, like Windows Defender, relies more on analysis in the cloud rather than local, post-execution technology like AMSI, its all part of the strategy of layered protection, they can also detect the connections to C2 servers or when they download the malicious payloads to an infected system.

If you actually knew how WIndows Defender worked you would already know all of this, instead you cherry pick on half-true details.

 

[Andy Ful]

You don't need to be elevated to read WD Exclusions, nor was this ever about reading WD Exclusions, but about writting (both of which entirely different).

Standard privileges (returns Error):

High privileges:

Did you get a different result on your computer?

Leo's video is about reading the exclusions and downloading the malware to excluded location. Just watch it carefully before posting. You did not mention anything about adding (writing) exclusions in your previous post.

 

[Andy Ful]

Tamper protection is useless, as the settings are only reverted after restart, by then the damage is done.

Your knowledge about Defender is one year old (or older). Just try to disable Defender or disable something protected by Tamper Protection. Please do not write misguiding posts about Defender if you do not know it well.

You sharing an extremely poor attempt of trying to bypass WD, your problem is you limited and using extremely basic functions from CMD and Powershell, instead of actually trying to exploit the Windows APIs.

We are talking about Leo's video. His method depends on using a very simple and non-suspicious script. If you have read my post: Malware Alert - QBot now pushes Black Basta ransomware in bot-powered attacks, then you should realize that just so simple methods are used in the wild and can bypass the Defender protection in Enterprises (like in the QBot case). But, the same method does not work on home computers.
Anyway, we do not talk about advanced malware. It would be useless to talk about advanced malware with you because your knowledge about Defender is very limited and outdated.

 

[Local Host]

What in the world is "delayed" supposed to mean? if Windows Defender can detect an file thats not in the cloud it still can detect stuff using the cloud, it simply increase resource usage and puts unknown files in timeout for 60 seconds or less, depending how you have the Cloud Check Time Limit configured, in the end the cloud is there for usability and not getting in the way of the user.

Reputation based detection is the same on any configuration of WD, except if the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" is enabled and has significantly improved Defender's ability to detect things like PUP's, riskware, hacktools, cryptominers, etc, all based on reputation.

AMSI simply is poorly implemented in most AV's, except for a few which I have witnessed myself when testing AV's against malware, not to mention a lot of them have independent technologies to detect malicious scripts, and finally almost all AV'ss, like Windows Defender, relies more on analysis in the cloud rather than local, post-execution technology like AMSI, its all part of the strategy of layered protection, they can also detect the connections to C2 servers or when they download the malicious payloads to an infected system.

If you actually knew how WIndows Defender worked you would already know all of this, instead you cherry pick on half-true details.

You the one asking questions and try to act like you know how Windows Defender works, you don't even understand nor are aware Home Users are delayed in comparison to Enterprise costumers.

Then you prove my point while trying to prove me wrong, proving further you have no idea what you talking about.

And again talking of AMSI like it's supposed to detect anything, is a simple API, there is nothing to discuss in terms of how it's implemented, the detection is done by the AV itself, not AMSI.

Stop wasting my time, and don't get involved in this discussion.

Standard privileges (returns Error):

View attachment 267349

High privileges:

View attachment 267346

Did you get a different result on your computer?

Leo's video is about reading the exclusions and downloading the malware to excluded location. Just watch it carefully before posting. You did not mention anything about adding (writing) exclusions in your previous post.

You again shooting yourself on the foot by using Powershell, Registry Class (Microsoft.Win32)

You can easily read regedit entries without escalation, and you can even write to the local user. Like I said you supposed to be trying to exploit the Windows APIs, not using basic commands on Powershell/CMD.

Registry does not need elevated priviligies for read access!

 

[ScandinavianFish]

You the one asking questions and try to act like you know how Windows Defender works, you don't even understand nor are aware Home Users are delayed in comparison to Enterprise costumers.

Then you prove my point while trying to prove me wrong, proving further you have no idea what you talking about.

And again talking of AMSI like it's supposed to detect anything, is a simple API, there is nothing to discuss in terms of how it's implemented, the detection is done by the AV itself, not AMSI.

Stop wasting my time, and don't get involved in this discussion.

The fact that you dont provide any info on this "delay" makes me think youre nothing but an sad troll, craving for the tiny amount of attention

You said that scripts are the weak point of any AV, if AMSI is so bad, then whats the point of every AV implementing it? Surely its not that they are too lazy to develop their own technologies to detect scripts.

 

[ForgottenSeer 95367]

I was wondering if changing the default profile from powershell to Azure Cloud Shell would help with some of these attacks?

No; Azure PowerShell doesn't offer any protections above and beyond what the baseline PowerShell execution engine offers.

 

[ForgottenSeer 69673]

No; Azure PowerShell doesn't offer any protections above and beyond what the baseline PowerShell execution engine offers.

Ok thanks, I was just curious is all.

 

[Andy Ful]

Registry does not need elevated priviligies for read access!

View attachment 267350

This behavior is non-standard. Normally you should get an error like in my post (and like in Leo's video for Windows 11). The vulnerability was patched in February 2022.

Microsoft fixes Defender flaw letting hackers bypass antivirus scans

Microsoft has recently addressed a weakness in the Microsoft Defender Antivirus on Windows that allowed attackers to plant and execute malicious payloads without triggering Defender's malware detection engine.

www.bleepingcomputer.com

Leo's video was related to this vulnerability. He does not like Defender (just like you) so he did not notice that the vulnerability had been patched a few months ago.

I am not sure why you can still access the exclusions with standard privileges. In your case the issue can probably happen if you do not use Defender as a primary AV:

 

[ForgottenSeer 69673]

The fact that you dont provide any info on this "delay" makes me think youre nothing but an sad troll, craving for the tiny amount of attention

You said that scripts are the weak point of any AV, if AMSI is so bad, then whats the point of every AV implementing it? Surely its not that they are too lazy to develop their own technologies to detect scripts.

You are correct about this poster. I blocked the poster months ago. Only posts negative about all his or her replies. I do not see the posts when I am logged in and I hope Andy stops responding to this loser. JT

 

[DrSnake09]

Windows Defender can always be bypassed easily, hacking forums like RaidForums (which was been seized), cracked, hackforums and many more laugh about this and anyone who trust more in Windows Defender than in our self defense (our mind). A Good Firewall and user between computer and chair is the best, if you can't have that sorry you probably will be hacked easily.

It's funny to see people trying to "hardening" windows defender, lol any blackhat can bypass WD seriously that is a joke for a professional hacker and blackhat activity guys. I swear lol
You and who believe in the "strong" WD, please make a favor and navigate through hacking forums, even best anti-cheat can be bypassed, now thinks who easily is to bypass WD.

Just my 2cents.

 

[Andy Ful]

I hope Andy stops responding to this loser. JT

You are completely wrong. Without his input, there were only 10% of the posts about Defender, and many readers would be deprived of some valuable information.

Edit.
Although many of my posts are related to Defender free, it is not my favorite security design. I like it because it is an integral part of the system. For me, the security design of Kaspersky, Comodo, or Norton would be more appropriate if made by Microsoft as an integral part of the system. Defender free must be hardened to compete with paid versions of Kaspersky, Comodo, and Norton.
Anyway, at home the difference in the protection between popular AVs is negligible, so I do not complain.

 

[Thales]

Windows Defender can always be bypassed easily, hacking forums like RaidForums (which was been seized), cracked, hackforums and many more laugh about this and anyone who trust more in Windows Defender than in our self defense (our mind). A Good Firewall and user between computer and chair is the best, if you can't have that sorry you probably will be hacked easily.

It's funny to see people trying to "hardening" windows defender, lol any blackhat can bypass WD seriously that is a joke for a professional hacker and blackhat activity guys. I swear lol
You and who believe in the "strong" WD, please make a favor and navigate through hacking forums, even best anti-cheat can be bypassed, now thinks who easily is to bypass WD.

Just my 2cents.

Anti-cheat vs AV? I'm not sure that is a good comparison.
You forget that hackers focus on companies and rarely target inviduals, so hardened WD is overkill for most users.

 

[Local Host]

This behavior is non-standard. Normally you should get an error like in my post (and like in Leo's video for Windows 11). The vulnerability was patched in February 2022.

Microsoft fixes Defender flaw letting hackers bypass antivirus scans

Microsoft has recently addressed a weakness in the Microsoft Defender Antivirus on Windows that allowed attackers to plant and execute malicious payloads without triggering Defender's malware detection engine.

www.bleepingcomputer.com

Leo's video was related to this vulnerability. He does not like Defender (just like you) so he did not notice that the vulnerability had been patched a few months ago.

I am not sure why you can still access the exclusions with standard privileges. In your case the issue can probably happen if you do not use Defender as a primary AV:


View attachment 267353

I just proved is still pretty easy to exploit this problem despite claims of being fixed, and you insist it's fixed, I'm wasting my time here, even threw you a bone which you ignored.

DrSnake09 has it spot on as well, there nothing easier than bypassing WD.

Anti-cheat vs AV? I'm not sure that is a good comparison.
You forget that hackers focus on companies and rarely target inviduals, so hardened WD is overkill for most users.

Anti-Cheats are harder to bypass than AVs, and the communities he mentioned are not focused in companies at all, and yes they all easily bypass WD.

 

[Andy Ful]

Windows Defender can always be bypassed easily, hacking forums like RaidForums (which was been seized), cracked, hackforums and many more laugh about this and anyone who trust more in Windows Defender than in our self defense (our mind). A Good Firewall and user between computer and chair is the best, if you can't have that sorry you probably will be hacked easily.

Any AV can be hacked without much effort by a good hacker. Defender free and system hardening proposed on this forum is not intended to protect against hacking (although it can make it much harder from a remote location). It is intended to protect users against widespread attacks, including scripting and weaponized documents.

You and who believe in the "strong" WD, please make a favor and navigate through hacking forums, even best anti-cheat can be bypassed, now thinks who easily is to bypass WD.

I hacked WD several times and still can recommend Defender free as protection at home. Of course, I could also recommend any other popular AV. For home users the differences in protection between Defender free + Edge and other popular AVs are negligible. Of course, the paid products are worth their price, but the protection is not the most important factor for that because most users apply default settings.

 

[Local Host]

Any AV can be hacked without much effort by a good hacker. Defender free and system hardening proposed on this forum is not intended to protect against hacking (although it can make it much harder from a remote location). It is intended to protect users against widespread attacks, including scripting and weaponized documents.

You way off track, we discussing how easily WD can be bypassed, so you claim Windows Defender is not supposed to protect itself against malware that bypasses it entirely?

And no, there's is no need for a good hacker, any 10y old kid can do it, Microsoft gives us all the tools.

Do you actually use Defender? It is important for this patch.
Aren't you surprised, that this patch does not work only on your computer and works for most computers?
Should anybody be worried, because this patch does not work on your non-standard setup?

You make a lot of assumptions, not to mention the video provided in OP shows more than enough evidence about the so called fix not working.

It works on most computers cause it works on yours? I can use the same argument since it doesn't work on mine.

Plus who are to tell if I tested on a non-standard setup or not, if anything is your PC that isn't a non-standard setup due to not using default settings.

 

[SeriousHoax]

BTW, I just tried it on three different up-to-date systems (2 PCs, 1 laptop) with completely different hardware and as Andy showed, the exclusion reading method doesn't work with standard rights on any system that's running Microsoft Defender as the main AV. So, in any sane system, the method is dead Arguing against it is a waste of time and energy.