Advice Request Windows Defender disabled by malware

Please provide comments and solutions that are helpful to the author of this topic.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
After making several successful POCs and submitting them to Microsoft, I noticed the first signs of Defender's behavior-based detections. One of the executables involved in the UAC bypass is recognized as malicious (I did not submit it to Microsoft). That is good. But, after doing some unimportant changes in the code, the POC works again. Defender suspends two executables and checks them against the cloud backend. Next, the POC disables Defender successfully and runs a payload. I have also sent a message via LinkedIn to Cole Sodja (see the last Security Unlocked podcast) about this MT thread. It seems that Microsoft works on the "Automating threat actor tracking" to determine the scope of the compromise and predict how the attack will progress:


Of course, "threat actors" are related to APT groups in the wild, so I do not think that someone from Microsoft will be interested in our thread (which is about the danger of the possible attack method). The interesting thing about this attack method is that the attacker can adjust the malware with minimum telemetry send to Microsoft. All files used in the attack (before disabling Defender) are not malicious and the attack can be detected only when the attack context is understood (it is not for now).

I did not submit the POC with UAC bypass yet. I am curious if Microsoft will be able to recognize from telemetry that something successfully bypasses UAC to disable Defender (it would be welcome). Usually, such bypasses are not urgent to Microsoft. :unsure:
 
Last edited:

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,684
In the latest Dev Defender has become very persistent. I used to disable services, but it is no longer that simple, 3rd party AV has to be active and I have to restart. When I disable 3rd party AV to update tools like Nirsoft, Defender manages to enable itself, even though its services are disabled. From a security perspective that is great, from a user one, not so much.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
In the latest Dev Defender has become very persistent. I used to disable services, but it is no longer that simple, 3rd party AV has to be active and I have to restart. When I disable 3rd party AV to update tools like Nirsoft, Defender manages to enable itself, even though its services are disabled. From a security perspective that is great, from a user one, not so much.
If it enables itself then the user can simply turn off real-time protection from Security Center. If you do not use Defender in daily work, then you can also whitelist the Downloads folder and the folder where you keep your tools. You can use PowerShell for that. So, even if Defender reactivates itself, your tools will not be detected after downloading (until you do not execute anything).
 

Templarware

Level 10
Thread author
Verified
Well-known
Mar 13, 2021
462
In the latest Dev Defender has become very persistent. I used to disable services, but it is no longer that simple, 3rd party AV has to be active and I have to restart. When I disable 3rd party AV to update tools like Nirsoft, Defender manages to enable itself, even though its services are disabled. From a security perspective that is great, from a user one, not so much.
So, one could argue that using a 3rd party AV is a good security feature. If your main AV gets disabled by malware, Defender will kick in. If you only use Defender, and it gets disabled by malware, you would be defenseless.
 
  • Like
Reactions: TairikuOkami

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
So, one could argue that using a 3rd party AV is a good security feature. If your main AV gets disabled by malware, Defender will kick in. If you only use Defender, and it gets disabled by malware, you would be defenseless.
3rd party AVs can also be disabled by malware if it is targeted to do so. Defender just happens to be one of the bigger targets.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
So, one could argue that using a 3rd party AV is a good security feature. If your main AV gets disabled by malware, Defender will kick in. If you only use Defender, and it gets disabled by malware, you would be defenseless.
Cybercriminals are not stupid. They know that Defender will kick in, so they will prepare the malware to dismantle Defender before it could kick in. :unsure:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
3rd party AVs can also be disabled by malware if it is targeted to do so. Defender just happens to be one of the bigger targets.
There are well-known possibilities of dismantling most AVs. It can be done by installing a vulnerable legal driver and then using 0-day malware to exploit this driver. The malware can access the Windows kernel in this way and affect the kernel locations used by AVs to monitor processes.
Furthermore, many AVs use also HIPS and other security layers which work in userland (via hooking). This can be also defeated by malware.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
There are well-known possibilities of dismantling most AVs. It can be done by installing a vulnerable legal driver and then using 0-day malware to exploit this driver. The malware can access the Windows kernel in this way and affect the kernel locations used by AVs to monitor processes.
Furthermore, many AVs use also HIPS and other security layers which work in userland (via hooking). This can be also defeated by malware.
From what I typically read in malware analysis reports, the malware usually lands in user space, so wouldn't a properly configured HIPS or other such system hardening tool prevent the malware from launching and subsequently gaining elevated permissions?
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,221
Would there be benefit in switching to If the user switches to profile "Windows_*_Strict_Recommended_Settings.hdc" to block also EXE (TMP) and MSI files in UserSpace? @Andy Ful
 
  • Like
Reactions: Kongo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top