Advice Request Windows Defender disabled by malware

Please provide comments and solutions that are helpful to the author of this topic.

Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,491
wat0114 said:
From what I typically read in malware analysis reports, the malware usually lands in user space, so wouldn't a properly configured HIPS or other such system hardening tool prevent the malware from launching and subsequently gaining elevated permissions?
Click to expand...
Yes, in the home environment (against widespread attacks). It can be partially done in businesses by reducing the attack surface. But, the larger/complex the local network (and Internet integration) the bigger are chances of breaches. Nowadays, one has to accept the Zero Trust security model, which assumes that the Enterprise can be compromised. But anyway, the security has to quickly identify the breach, prevent lateral movement and data leak.
 
  • Like
Reactions: SeriousHoax, Zartarra, wat0114 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,491
ErzCrz said:
Would there be benefit in switching to If the user switches to profile "Windows_*_Strict_Recommended_Settings.hdc" to block also EXE (TMP) and MSI files in UserSpace? @Andy Ful
Click to expand...
UserSpace is still protected in Recommended_Settings. The exceptions are two hidden folders (ProgramData and AppData). Normally, the EXE (TMP) and MSI files from the Internet can land there via drive-by downloads (when web browsing), opening these files directly from the email client, opening these files directly via archiver application (7-Zip, Winzip, WinRar, etc.), or exploiting some application. The first three are protected in Recommended_Settings, too (SmartScreen Application Reputation, <Harden Archivers>, <Harden Email Clients>). Anyway, If there is a fair possibility of exploiting then "Windows_*_Strict_Recommended_Settings can be useful.
Generally, using the more and more restricted system always can add some protection. But usually, this covers the malware which will probably never happen on your computer. If you want to add something to Recommended_Settings then you have to be sure that it is necessary for some reason.
 
Last edited:
  • Like
  • Thanks
Reactions: SeriousHoax, [correlate], harlan4096 and 4 others
ErzCrz

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,157
Andy Ful said:
UserSpace is still protected in Recommended_Settings. The exceptions are two hidden folders (ProgramData and AppData). Normally, the EXE (TMP) and MSI files from the Internet can land there via drive-by downloads (when web browsing), opening these files directly from the email client, opening these files directly via archiver application (7-Zip, Winzip, WinRar, etc.), or exploiting some application. The first three are protected in Recommended_Settings, too (SmartScreen Application Reputation, <Harden Archivers>, <Harden Email Clients>). Anyway, If there is a fair possibility of exploiting then "Windows_*_Strict_Recommended_Settings can be useful.
Generally, using the more and more restricted system always can add some protection. But usually, this covers the malware which will probably never happen on your computer. If you want to add something to Recommended_Settings then you have to be sure that it is necessary for some reason.
Click to expand...
Thanks Andy. Was just checking if it would help prevent WD being disabled since there was mention of the executable in the userspace in previous posts on this topic. I'm protected enough with the default recommended settings, I'll stick with those.

SecureKongo said:
Either I am blind or nobody is mentioning the option to run MD in a sandbox... Wouldn't that be the best option to ensure Defender isn't getting disabled by malware?
Click to expand...

I was wondering the same thing.
 
  • Like
Reactions: wat0114, ForgottenSeer 85179, [correlate] and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,491
Andy Ful said:
...
I did not submit the POC with UAC bypass yet. I am curious if Microsoft will be able to recognize from telemetry that something successfully bypasses UAC to disable Defender (it would be welcome). Usually, such bypasses are not urgent to Microsoft. :unsure:
Click to expand...
Defender is still learning. I can see two new detections that now block the attack (POC worked well yesterday):
Trojan:Win32/Hynamer.A!ml
Trojan:Win32/MereTam.A
I did no submit the POC to Microsoft, so it is based on Defender's ML.
The first detection (behavior-based) is somehow related to my UAC bypass, but I am not sure if it can fully stop it. We will see after some testing.:)
 
  • Like
  • +Reputation
  • Applause
Reactions: SeriousHoax, Zartarra, wat0114 and 6 others
wat0114

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
619
@Templarware

if you have Process Explorer installed in place of Task manager, you can see if Defender is sandboxed by opening it as Administrator, then you should see the MsMpEngCP.exe process running with integrity: AppContainer.

Defender sandbox.png
 
  • Like
  • Applause
Reactions: Andy Ful, SeriousHoax, ForgottenSeer 85179 and 2 others
Templarware

Templarware

Level 10
Thread author
Verified
Well-known
Mar 13, 2021
462
SecureKongo said:
xenit.se

Run Windows Defender inside a sandbox - Xenit

Last week Microsoft released the news that they have added a new feature to Windows Defender Antivirus. The new feature allows Windows Defender Antivirus to run within a sandbox.
xenit.se xenit.se

Never really used MD so I can't answer your second question.
Click to expand...
So, in 2021 we need to run a CMD command to activate an important AV feature? 🤣
Why isn't this in the security settings? Same could be said for MAPS...
 
  • Like
Reactions: Zartarra, ForgottenSeer 85179 and Kongo
D

davisd

Level 3
Verified
Jan 27, 2019
108
Read all replies and didn't learn a thing, I am fine with disabling WD manually via group policy whenever i would need that, but as for speaking that malware can do that, safe and aware computer users, especially participants in security forums are most likely to never encounter such malware at all, if any. I know that some of you run on-demand scanners daily just for "safety", but it has nothing to do with safety, it's called a security software addiction which can be seen clearly when arguing. Learn and study the operating system you are using, not the additional software to manage it.
 
  • Applause
  • Like
  • HaHa
Reactions: Game Of Thrones, robboman, SeriousHoax and 3 others
N

Nagisa

Level 7
Verified
Jul 19, 2018
342
Templarware said:
So, in 2021 we need to run a CMD command to activate an important AV feature? 🤣
Why isn't this in the security settings? Same could be said for MAPS...
Click to expand...

Defender sandbox is not an important security feature and Defender has already its cloud submit feature enabled by default. Though, in both cases it sends the file only if it has MOTW tag.
 
  • HaHa
Reactions: Templarware
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,491
Nagisa said:
Defender sandbox is not an important security feature and Defender has already its cloud submit feature enabled by default. Though, in both cases it sends the file only if it has MOTW tag.
Click to expand...
Cloud delivered protection works also for files without MOTW if these files are executed (and are recognized as suspicious). The MOTW is necessary for the "Block at first sight" feature, which works on access for all files with MOTW (does not require file execution).
 
  • +Reputation
  • Like
Reactions: Gandalf_The_Grey, Kongo and ForgottenSeer 85179
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
I think malware or even legit programs adding themselves into the exclusions is another unsettling thing. If you install McAfee then for some reason McAfee put itself into Microsoft Defender's exclusions. A year ago when I installed Acronis True Image, it put itself into Defender's exclusion which I discovered 4-5 days later after I uninstalled the program. Both required admin rights but when trusted programs ask for that while installing then surely we will allow that.
I also found a malware today which added something to Defender's exclusion while it was executed. The sample is at least 10 days old and the payload is detected by every AV, so Defender also detected and removed it, but the exclusions remained. The malware is a combination of 4 files. One .bat, two .dat, one .dll.
Interestingly the exclusion was not for any files, instead the Defender UI was showing file type, "exe" and "dat" into the exclusion.
Microsoft makes it easy to manage it via registry modification, powershell, group policy etc. for ease of use I assume.
One of the plus point of Microsoft Defender is that it's very much integrated into the system, but this plus point is also one of its main weak point. Adding exclusions shouldn't be so easy.
I never encounter any malware in my real world usage so Defender is more than enough for me, but I hope Microsoft do something in the future to counter these issues.
 
  • Like
  • Wow
Reactions: Zartarra, Back3, Gandalf_The_Grey and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,491
Templarware said:
So, in 2021 we need to run a CMD command to activate an important AV feature? 🤣
Why isn't this in the security settings? Same could be said for MAPS...
Click to expand...
This is done intentionally, to prevent changes made by home users. It is a somewhat strange point of view, but it is fully consistent with Microsoft's security philosophy. If Defender Sandbox will work without any issues then it will be integrated with Security Center.
 
  • Like
Reactions: Kongo and ForgottenSeer 85179
N

Nagisa

Level 7
Verified
Jul 19, 2018
342
Andy Ful said:
Cloud delivered protection works also for files without MOTW if these files are executed (and are recognized as suspicious). The MOTW is necessary for the "Block at first sight" feature, which works on access for all files with MOTW (does not require file execution).
Click to expand...
So MOTW only matters in the step 6?

Detonation-based-ML-diagram.png


SecurityNightmares said:
Why did you say that? It harden Defender against manipulation and increase his security.
Click to expand...
I'm guessing that any exploit advanced enough to leverage the AV engine itself would rather be used in the targeted attacks. This is just not in my threat model. But still I keep it enabled as it doesn't cause any harm.

By the manipulation if you meant scripts, I never heard that sandboxing would prevent such scenario.
 
  • Like
  • HaHa
Reactions: Templarware and Kongo

Similar threads

A
Advice Request Need to escape tracking
Replies
29
Views
1,313
General Security Discussions
aftech
A
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,231
Video Reviews - Security and Privacy
tofargone
tofargone
L
    • Like
App Review Windows Defender Controlled Folders bypassed by ransomware
Replies
1
Views
350
Video Reviews - Security and Privacy
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top