Q&A Windows Defender disabled by malware

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,886
Hi Andy! Not meaning in any way to divert from an illuminating thread, but when you refer to an UAC bypass, do you mean at the Default level, at Always Notify level, or both?

m
Hi,
I could not find any (Default level or Always Notify). Anyway, I did not try all possibilities.
 
  • Like
Reactions: venustus and Nevi

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,886
How many times have you mentioned other Windows Security components in this thread? So many times in fact, that I thought we were talking about Windows Security. And this is not the only thread this happens on.
All components mentioned by me were strictly related to Defender and the attack (SmartScreen, UAC). It seems that you in three posts talked more about it than me in all my posts.:unsure:
 
Last edited:

Raiden

Level 19
Verified
Content Creator
May 7, 2018
913
Hi,
I could not find any (Default level or Always Notify). Anyway, I did not try all possibilities.
I am sure you are aware, but just in case....if you hit the Windows key and just type UAC, you will get an option for UAC settings. It is there where you can change the level of UAC. Interestingly enough, for me it says the default is at max?? Usually it's one step down. I am not sure if this is new with 20h2, or if it's because I am on a standard account and I changed it to max already?? Either way if you weren't sure that's how you could change the level if you wanted to. Now back to our regular scheduled show "bashing WD....." lol jk:p
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
888
All components mentioned by me were strictly related to Defender and the attack (SmartScreen, UAC). It seems that you in three posts talked more about it than me in all my posts.:unsure:
I actually did not mention a single Windows Security component. In fact, the only component I mentioned was SRP, which has been deprecated by Microsoft so it is not part of Windows Security. I used the term Windows Security simply because you mentioned other Windows Security components.
 
  • Like
Reactions: venustus and Nevi

Local Host

Level 23
Verified
Sep 26, 2017
1,284
@Raiden I disagree, @Andy Ful has multiple times denied Windows Defender has weaknesses against script attacks (went as far as claiming WD competes against Kaspersky on this department), same way he claims there's no need for third parties AVs nowadays.

Using AV tests to prove a point is simply a weak argument (those tests are to be taken as a grain of salt, and not real world results), something that can be easily tested on your own environment, write a simple malicious script and WD won't flitch after analysing the code from AMSI (try the same with any other third-party AV, this was actually done recently on a topic I already shared here).

Despite WD having improved over the years, is still not a top tier product and will let a good chunk of malware pass through it, on the Enterprise with ATP is a different story, as long as it is being monitored by a professional.

As for UAC bypasses, Microsoft own APIs supply the doors, I use them often at work, so my scripts don't bother casual users with prompts while being able to run code with elevated privileges (making the processes entirely automatic).

@danb is true SRP has been deprecated, Microsoft wants people to use Application Control and AppLocker instead.
 
Last edited:
  • Like
Reactions: venustus and Raiden

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,886
It seems that the discussion here has temporarily focused on what @Andy Ful thinks or said. So, I am going to present my view again because it has been apparently misunderstood.
I have a request to @Spawn. It would be good to move the off-topic posts (mine and other people) about what I think in relation to Defender to another thread. I already made a thread for that:
https://malwaretips.com/threads/the-truth-about-windows-defender-on-windows-10-home-pro.88142/
But, it can be another appropriate thread, too.

So, here is my view (If one is really interested):
  1. Defender (on default) has only mediocre anti-script protection. The same is true for all popular Home AVs. There are objective reasons to think that Defender anti-script protection is one of the best among Home AVs. Also, the ASR rules can make the anti-script protection much better and comparable to the commercial Business AVs. Still, such a protection can be bypassed in many ways by a hacker.
  2. If the Home User uses Defender + Edge with SmartScreen and PUA protection then the protection is so close to the commercial Home AVs, that there is no reason to change the AV. The same is true for any popular AV installed on the computer in the home environment. The reason is not that the protection is bulletproof, but that the difference in protection is very small - many times smaller compared to infections caused by user's habits and behavior.
  3. Any single AV test is a weak argument to see the differences in the protection between AVs. Simply, these differences are usually too small and the results have too big random noise. I never use such an argument. I made a cumulative summary of the tests (for Home AVs) made by the three biggest and trusted AV testing Labs (AV-Test, AV-Comparatives, SELabs). These results are statistically significant because they include all available tests from the period of two last years. Furthermore, the comparison makes sense only when all AVs participated in all tests - this criterium is usually not fulfilled in the homemade tests. It would be extremely difficult to make reliable conclusions about differences in protection between AVs, even when analyzing hundreds of homemade videos.
  4. It is true that Microsoft wants people to use Applocker and Defender Application Control. But, it is also clear that they cannot be used effectively on Windows Home. Also, SRP was never officially supported on Windows Home. So, in fact, SRP is depreciated by Microsoft from the XP era many years ago and still works well (tested also on the upcoming Windows 21H1). Applocker uses the same Safer APIs as SRP, so it is very improbable that SRP will stop working soon. It is probable that some AV vendors will disappear until this will happen. It is also probable that there will not be support for SRP on the new Windows like Windows 10X.
  5. The auto protection design of Defender has some weak points, that are better protected in some other AVs. Kaspersky could be probably a good example of that. In my opinion, Microsoft tries only to make the life of attackers harder and make such attacks rare, instead to solve the problem. Tamper Protection in the current design, does not solve the problem for sure.
  6. My personal choice for AV family solution (non-security-oriented people) is Kaspersky Internet Security. I already presented my view here:
    https://malwaretips.com/threads/malware-and-antivirus-needed.106771/post-930270
    The security-oriented people can choose other solutions to protect the family computers (many solutions are discussed on MT). My personal choice is still Windows built-in security. The second choice would be probably tweaked KIS or Norton with SWH. For unknown reasons, Comodo Firewall does not work well on my computers. Otherwise, I could choose it with CS settings, too. There are many solutions for everybody.
I hope that the above points are sufficiently clear.(y)

Post edited for more clarity.
 
Last edited:

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,886
Finally, I completed the POC by adding UAC bypass (but not for MAX UAC setting) based on autoelevation of Microsoft trusted executable. All known bypasses were patched by Microsoft recently or detected by Defender, so I did some research and modified one bypass discovered in the last year. The POC with UAC bypass worked well when initiated by the AutoIt script. The DLL hijacking was successful and then UAC was bypassed. Defender suspended the POC twice for 10 seconds to check the executables in the cloud, but in the end, the POC disabled Defender and executed the payload.
Next, I compiled the AutoIt script and put all executables in one EXE installer (made by NSIS). After execution, the new executables were suspended for 10 seconds and behavior-based modules detected them in the cloud as Trojan:Win32/Fuerboos.B!cl and Trojan:Win32/Wacatac.B!ml.
This example shows the difference between the home-made tests and in-the-wild samples.
If I will have some time, then maybe I will try to replace the initial AutoIt script with BAT script.(y)
 
Last edited:

Templarware

Level 5
Mar 13, 2021
241
If the Home User uses Defender + Edge with SmartScreen and PUA protection then the protection is so close to the commercial Home AVs, that there is no reason to change the AV. The same is true for any popular AV installed on the computer in the home environment. The reason is not that the protection is bulletproof, but that the difference in protection is very small - many times smaller compared to infections caused by user's habits and behavior.
If using other browser, with the Windows Defender Browser Protection extension, how much protection do we loose compared to Edge?
Someone already told me it's not quite the same, but didn't specify what exactly.
 
Last edited:

blackice

Level 32
Verified
Apr 1, 2019
2,179
Last edited:

Templarware

Level 5
Mar 13, 2021
241
WD Browser Protection has not fares as well as other extensions such as Malwarebytes Browser Guard or Bitdefender Trafficlight in @Evjl's Rain 's testing:
Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings
Yeah, but my question was very different. I want to know the comparison between WD Browser Protection and Edge. WD Browser Protection is supposed to bring Edge's protection to other browsers. Is it the same as Edge? Or if not, what does Edge have that WD Browser Protection does not. Regarding Smart Screen and Windows Defender, of course.
 

blackice

Level 32
Verified
Apr 1, 2019
2,179
Yeah, but my question was very different. I want to know the comparison between WD Browser Protection and Edge. WD Browser Protection is supposed to bring Edge's protection to other browsers. Is it the same as Edge? Or if not, what does Edge have that WD Browser Protection does not. Regarding Smart Screen and Windows Defender, of course.
Yes you are correct, I realized that after I posted it sorry about that. Andy may know better, but my understanding is the browser extension is not quite as effective as smartscreen. Specifically at blocking downloads, also I can't find the posts but if I remember correctly the url blocking wasn't as good as smartscreen. Again, I await Andy's response.
 

Templarware

Level 5
Mar 13, 2021
241
I do not know. The tests were done a long time ago. I do not know any reliable tests about it.:unsure:
"The Microsoft Defender Browser Protection extension for Google Chrome allows you to add an additional layer of protection when browsing online, powered by the same trusted intelligence found in Microsoft Edge. The extension alerts you about known malicious links, and gives you a clear path back to safety."

I've read somewhere that it enables Smart Screen on the browsers.

Why do you consider Edge so special?
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,886
...
I've read somewhere that it enables Smart Screen on the browsers.

Why do you consider Edge so special?
It does not. But in theory, it should use the same blacklist as SmartScreen. Anyway, the theory can be different from the real world. Edge is a special web browser because it is well integrated with Defender.
 

Templarware

Level 5
Mar 13, 2021
241
It does not. But in theory, it should use the same blacklist as SmartScreen. Anyway, the theory can be different from the real world. Edge is a special web browser because it is well integrated with Defender.
So, if someone uses other browser, it would make more sense to use other AV?
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,886
Finally, I completed the POC by adding UAC bypass (but not for MAX UAC setting) based on autoelevation of Microsoft trusted executable. All known bypasses were patched by Microsoft recently or detected by Defender, so I did some research and modified one bypass discovered in the last year. The POC with UAC bypass worked well when initiated by the AutoIt script. The DLL hijacking was successful and then UAC was bypassed. Defender suspended the POC twice for 10 seconds to check the executables in the cloud, but in the end, the POC disabled Defender and executed the payload.
Next, I compiled the AutoIt script and put all executables in one EXE installer (made by NSIS). After execution, the new executables were suspended for 10 seconds and behavior-based modules detected them in the cloud as Trojan:Win32/Fuerboos.B!cl and Trojan:Win32/Wacatac.B!ml.
This example shows the difference between the home-made tests and in-the-wild samples.
If I will have some time, then maybe I will try to replace the initial AutoIt script with BAT script.(y)
After changing the initial AutoIt script to BAT script, the Defender is defeated again. As usual, introducing some scripting methods to the infection chain (instead of executables), can increase the success of the attack. The infection chain is rather complicated, so it is not probable in the widespread attacks. But, it can be used in the targeted attacks via drive-by downloads or spear phishing.
The attack can be less visible when turning on Defender protection again after the malware is deeply buried in the system.
As usual, the POC will be submitted to Microsoft soon.
 
Top