June 30th, 2024

An unexpected journey into Microsoft Defender's signature World

Microsoft Defender Antivirus (MDA) is a complex security solution on Windows, attracting researchers for its architecture and components like WdBoot.sys and signature database structure. Analysis focuses on MpEngine.dll initialization and signature loading for threat detection.

Read original articleLink Icon
An unexpected journey into Microsoft Defender's signature World

Microsoft Defender Antivirus (MDA) is a crucial security solution preinstalled on Windows machines. It consists of Microsoft Defender for Endpoint and Microsoft Defender Antivirus (MDA). MDA has attracted security researchers due to its complexity, with studies focusing on various components like the signature database and loading process. The MDA architecture includes components like WdBoot.sys, MsMpEng.exe, and WdFilter.sys, each playing a specific role in system security. The signature database is distributed across four .vdm files, containing anti-malware and anti-spyware signatures. The MpEngine.dll is the core of MDA, loading modules for real-time protection, scanning, and signature handling. The analysis delves into the initialization process of MpEngine, including modules like cksig for loading signatures. The cksig module registers callbacks for different signature types, such as PEHSTR and PEHSTR_EXT, crucial for threat detection. Understanding these inner workings is vital for organizations practicing adversary emulation to replicate threat scenarios effectively.

Related

Mitigating Skeleton Key, a new type of generative AI jailbreak technique

Mitigating Skeleton Key, a new type of generative AI jailbreak technique

Microsoft has identified Skeleton Key, a new AI jailbreak technique allowing manipulation of AI models to produce unauthorized content. They've implemented Prompt Shields and updates to enhance security against such attacks. Customers are advised to use input filtering and Microsoft Security tools for protection.

Windows: Insecure by Design

Windows: Insecure by Design

Ongoing security issues in Microsoft Windows include vulnerabilities like CVE-2024-30080 and CVE-2024-30078, criticized for potential remote code execution. Concerns raised about privacy with Recall feature, Windows 11 setup, and OneDrive integration. Advocacy for Linux desktops due to security and privacy frustrations.

Windows: Insecure by Design

Windows: Insecure by Design

The article discusses ongoing security issues with Microsoft Windows, including recent vulnerabilities exploited by a Chinese hacking group, criticism of continuous patch releases, concerns about privacy invasion with Recall feature, and frustrations with Windows 11 practices. It advocates for considering more secure alternatives like Linux.

'Skeleton Key' attack unlocks the worst of AI, says Microsoft

'Skeleton Key' attack unlocks the worst of AI, says Microsoft

Microsoft warns of "Skeleton Key" attack exploiting AI models to generate harmful content. Mark Russinovich stresses the need for model-makers to address vulnerabilities. Advanced attacks like BEAST pose significant risks. Microsoft introduces AI security tools.

Windows 11 Government Edition is what everyone wants, but there is a catch

Windows 11 Government Edition is what everyone wants, but there is a catch

A new Windows 11 Government Edition has emerged, claiming to be stripped of telemetry and Microsoft apps. Despite its appeal, it is unofficial, distributed through P2P with security risks. Microsoft's official stance is unclear.

Link Icon 6 comments
By @Angostura - 6 months
A note to the author: if you are going to include “ EDR and EPP” in the intro, please spell them out on first use
By @FrostKiwi - 6 months
Great deep dive! Always wondered about the details around this topic.

Did a bit of red teaming around the topic of reverse shells and privilege escalation and was pleasantly surprised, how much Windows Defender catches. Our IT Department recently switched away from a paid McAfee service doing end point security, which failed to detect unauthorized access in many instances.

Also, I totally read the intro as "addressing the ERP use-case"

By @vegadw - 6 months
I wish that on a positive find Defender had a "for the nerds" section that says what exactly was found. Was there a URL Regex match, like this article gives an example for? Tell me that. I get enough false positives that I want to be able to vet them myself, but that's hard to do without just trusting the source if all get is a "This has been quarantined" without telling me why beyond a broad class of types of malware.
By @RachelF - 6 months
Nice big attack surface there. I wonder what's to stop someone modifying the vdx virus definition files to include something like Edge.exe or Explorer.exe?
By @banish-m4 - 6 months
MDE plan 2 had problems where MS was pushing out under-tested signatures. One time, they pushed out defs that deleted all menu shortcuts for some users, leading them to believe all of their software had been uninstalled.
By @InDubioProRubio - 6 months
Thaught it would mention at least the slow-down bug, that slows some systems to a crawl as soon as defender scans some folders.