Microsoft Defender (ранее Windows Defender)

Main article: Antiviruses

2024: A hole in built-in Windows antivirus allows you to infect your PC with minimal effort

At the end of July 2024, it became known that later the Microsoft Defender SmartScreen security vulnerability allowed hackers to easily distribute malware such as ACR Stealer, Lumma and Meduza.

Fortinet FortiGuard Labs discovered that hackers conducted a whole campaign to steal information in Spain, Thailand and the United States, exploiting a vulnerability in built-in Windows antivirus. This hole allowed attackers to easily bypass SmartScreen protection and embed trap files into the system. Microsoft addressed this issue as part of monthly security updates, releasing the patch in February 2024.

𝓲

Bloomberg

One of the viruses distributed, ACR Stealer, is an advanced version of GrMsk Stealer and is capable of pumping information from web browsers, crypto wallets, messaging applications, FTP clients, mail clients, VPN services and password managers. Another malware, Lumma Stealer, which used the same vulnerability to spread, allows attackers to change C2 domains at any time and disrupt infrastructure resilience.

For the cyber attack, hackers also used a Microsoft Word document with macros that disguises itself as a Microsoft system recovery guide. This file, when opened, runs a macro to extract the second stage DLL file from the remote control, which is decoded to run Daolpu, malware to steal credentials and cookies from Google Chrome, Microsoft Edge, Mozilla Firefox and other Chromium-based browsers.

As hackers spread more and more viruses, downloading applications through search engines is becoming more dangerous, said Malwarebytes researcher Jerome Segura. - Frequency users have to choose between malicious ads and compromised websites.[1]

2023: Windows proprietary antivirus removed custom shortcuts on desktop and Start menu

Microsoft Defender mistakenly removed shortcuts to users of Windows 10 and Windows 11 operating systems, used to quickly launch programs installed on your PC. Antivirus, part of the Windows operating systems, mistook shortcuts on the desktop and in the start menu for malware. This became known on January 16, 2023.

On January 13, 2023, Microsoft released an antivirus signature update for Microsoft Defender for Endpoint version 1.381.2140.0, which, in particular, changed the operation of the ASR mechanism rule (Attack Surface Reduction; "shortening directions" attacks) called "Block Win32 API calls from Office macro" (ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b). This rule allows the program to detect and suppress attempts to access malicious Win32 ON API using VBA macros.

After making changes to the corresponding rule, Microsoft Defender began to demonstrate cases of false operation, as a result of which the shortcuts of user applications located on the Windows desktop, in the Start menu, as well as on the Quick Access toolbar were removed - the antivirus considered them malicious programs.

This affected both the shortcuts of the software of Microsoft itself (for example, Office) and third-party applications (Google Chrome, Mozilla Firefox, etc.)

As Bleeping Problem notes, the problematic rule on the eve of the weekend brought chaos to the work of corporate users of Windows machines and system administrators serving them. The former lost the ability to quickly launch familiar applications, the latter were forced to look for a way to restore shortcuts removed by Microsoft Defender.

Subsequently, Microsoft disabled the incorrect ASR rule (signature update 1.381.2164.0) and asked clients to check the SI MO497128 in the central administration for additional updates. Microsoft stressed that it will take several hours for the updated rule to work, as was originally conceived by the developers.

System administrators for this period were advised to switch the corresponding rule to audit mode in order to ensure that they protect themselves from the negative consequences of applying a dangerous ASR rule. This is done using the Intune cloud tool for endpoint management, editing group policies, or the Add-MpPreference command in Power Shell.

On January 14, 2023, Microsoft published on hosting GitHub its Power Shell script, which allows you to restore deleted application shortcuts - a total of 42 names.

Among them are the products of the company Adobe (,), Acrobat which Photoshop ON is part of the package (,,), Microsoft Office Excel Word Chrome Outlook browsers Google and Firefox, Mozilla the VLC media player, the 7zip archiver, etc. If necessary, administrators can independently adjust the list of programs whose shortcuts need to be restored^[2] proprietary^[3]

2022

Ability to identify vulnerabilities in Android and iOS on the corporate network

Microsoft has unveiled a public preview version of Microsoft Defender for Endpoint (MDE) that will help organizations identify vulnerabilities in Android and iOS devices on corporate networks. This became known on July 4, 2022.

After enabling this feature, Mobile Network Protection on Android and iOS devices, MDE will provide protection and notification when threats related Wi-Fi to and fraudulent (the certificates main vector attacks for Wi-Fi) are detected.

MDE can detect a Pineapple Hak5 Wi-Fi device that a cybercriminal uses to collect data transmitted on the network. The MDE will also alert the user to switch networks if it detects a suspicious or unsecured network and send a push notification when it finds open Wi-Fi networks.

Microsoft also provides detailed information about configuring network protection on Android and iOS devices through the Microsoft Endpoint Manager administration center.

As the world continues to recognize digital transformation, networks are becoming more complex and provide an opportunity for malicious activity. To combat cybercrime, Microsoft offers a mobile network protection feature in Defender for Endpoint that helps organizations identify, assess, and address endpoint weaknesses with robust threat analytics, the company said this week[4].

Add built-in troubleshooting mode

Microsoft Defender is now available with built-in troubleshooting mode. This became known on May 18, 2022.

You can already test this feature in early access

Troubleshooting mode will help Windows administrators test the performance of Microsoft Defender antivirus and run compatibility scripts without blocking penetration protection.

This antivirus mode is in early access and allows administrators to disable or change anti-unauthorized settings when diagnosing applications or troubleshooting. The feature is only available for enterprises and is disabled by default. The service requires access to Microsoft 365 Defender.

To test the function in early access, the user must:

• A device running Windows 10 (version 19044.1618 or later), Windows 11, Windows Server 2019, or Windows Server 2022;
• Presence of registered and active Microsoft Defender for Endpoint on the device;
• Presence of Microsoft 4.18.2203 or later on the Microsoft Defender computer;

For testing, Microsoft gives the administrator 3 hours after the start of troubleshooting on the device. Any new changes will be applied automatically. Microsoft Defender for Endpoint troubleshooting mode scenarios include:

• Diagnostics of application installation problems
• Reduced CPU load due to Windows Defender (MsMpEng.exe)
• Shorter application execution time
• Prevent network protection from blocking specific domains.

{{quote 'Additional diagnostic files will be available after troubleshooting. Files include before and after MpPreferences and MpLogs snapshots. Your administrator can collect diagnostic files using the Collect Investigation Packagen feature, the company added. }}

In addition, Microsoft has provided additional information that you need to know before downloading the presented mode. The corporation has also indicated possible execution scenarios^[5].

Microsoft Defender Preview for Android and Windows devices

On February 10, 2022, it became known that Microsoft had released the Microsoft Defender Preview application for Android and Windows devices. As of February 10, 2022, the application is only available in the United States, but most likely, as it is tested, it will be available in other countries as well.

Illustration: securitylab.ru

Microsoft Defender is an antivirus solution from Microsoft that has been shipping with Windows for quite some time. There is also a version of Microsoft Defender ATP for Android devices, designed exclusively for corporate users.

The presented preview version of Microsoft Defender allows you to manage safety not only the current device, but also all other devices connected to the same Microsoft account. The home page will display status conclusions protection for all devices.

If you click on this panel, expanded information about the status of each device will open. In particular, the number of applications and links (to Android) or files (on Windows) scanned in the last 24 hours will be displayed here. On a Windows device, you can also see the current settings for protection against malware and cyber threats, ransomware, etc. You can also view your security history to see past threats.

For Windows users, this solution is not a replacement for Windows Security, but rather an additional user interface that can eventually replace the built-in application. As for Android, the benefits of antivirus are quite controversial here, but at least thanks to it, the user can find out that he has installed potentially malicious applications.

One useful feature is the ability to see the security status of all devices in one place. This is especially useful when several people use one PC. The user can see on their phone if another user has downloaded or installed a malicious program on the computer.

US residents can download Microsoft Defender Preview for Windows from the Microsoft Store, and for Android from the Google Play Store. The Windows version can be installed outside the United States, but you will not be able to log in to the application yet.^[6]

2021

Integration with Illusive Active Defense

On May 25, 2021, Illusive announced the integration of its Active Defense technologies into Microsoft Defender for Endpoint. Read more here.

Fix remote code execution vulnerability

On January 13, 2021, it became known that Microsoft it had released planned security updates for its products. January patches fix a total of 83 vulnerabilities in products, OS Windows cloudy developer tools and corporate ones. servers

Of all the fixed vulnerabilities, the most serious is the zero-day vulnerability in the Microsoft Defender antivirus solution, exploited by hackers even before the patch was released. CVE-2021-1647 is a remote code execution vulnerability that allows attackers to execute code on a system with vulnerable Microsoft Defender, forcing the victim to open a malicious document.

According to Microsoft, although the vulnerability is already used in real attacks, its exploitation technique is not applicable in all cases, and the exploit is still at the PoC level. However, this does not mean at all that it cannot evolve over time into a full-fledged tool for more reliable attacks.

To prevent possible attacks, Microsoft has released patches for the Microsoft Malware Protection Engine. The update will automatically install and will not require user input unless blocked by the administrator.

The January patches also fix a read vulnerability outside of dedicated memory space in Windows uncovered by the Trend Micro Zero-Day Initiative project. CVE-2021-1648 allows a local attacker to disclose sensitive information. To exploit the vulnerability, an attacker must first be able to execute code with low privileges on the attacked system.

Although the vulnerability was disclosed on December 15, 2020, no evidence of its exploitation in real attacks until January 2021 was found. However, system administrators are strongly advised to install the patch to avoid potential future consequences^[7].

2019: Windows Defender renamed Microsoft Defender

In July 2019 Microsoft , it announced the renaming of its Windows Defender service, which Windows is called Windows Defender in Russified operating systems. The product was named Microsoft Defender.

The full rebranding will take place in April 2020 with the release of the Windows 10 20H1 Update. But the renaming began in July 2019: for example, the Windows Defender Exploit Guard component became Microsoft Defender Exploit Guard.

Microsoft renamed "Windows Defender"

As noted by the browsers of the deskmodder.de site, the innovation is also seen in the Windows 10 local group policy editor, where you can see sections for Microsoft Defender Antivirus and Microsoft Defender Exploit Guard.

The functionality remained and will remain the same, despite the change of name. However, together with the new name, "Windows Defender" will receive a number of new features, which Microsoft will talk about later.

Some components by July 22, 2019 retain the names: Windows Defender Firewall with Advanced Security, Windows Defender Application Guard, Windows Defender SmartScreen, etc.

The American corporation started renaming because the service became available not only on devices running Windows. For example, a software solution can be installed on Apple computers.

We invest $1 billion annually to provide our customers with a world-class protection platform. Windows Defender extends beyond Windows. That is why we decided to rename Windows Defender to reflect the cross-platform essence of our products, Microsoft said in a statement.

Previously, Windows Defender Security Center was renamed Windows Security

Microsoft has begun rebranding before, showing the company's desire not to be limited to Windows support in its products. So, the Arrow bootloader for Android applications became known as Microsoft Launcher.^[8]

2018: Running in a Virtualized Windows 10 Environment

On October 29, 2018, Securitylab reported that Windows Defender can now run in a virtualized environment in Windows 10 version 1703 and higher. Antivirus has become a security product that supports this feature.

By placing Windows Defender in a sandbox, the manufacturer made it difficult for attackers to access critical system modules, since isolated applications cannot interact with the rest of the system and have extremely limited access to memory resources and the file system.

This measure is a response Microsoft to the recommendations of numerous security experts who have repeatedly described methods by which attackers can exploit vulnerabilities in Windows Defender antivirus to remotely execute code.

Support for running Windows Defender in an isolation environment was added to Windows 10 (version 1703)^[9].

2017: Ransomware Virus Protection Feature

In June 2017, it became known about Microsoft's plans to equip Windows Defender with a new ransomware protection function. Controlled Folder Access technology, which will be launched in the fall of 2017, will completely block any changes to protected directories Windows by unauthorized applications. The new technology is designed to protect data from ransomware Trojans.

A preview of this technology was added to Windows 10 Insider Preview Build 16232.^[10]

It became known about Microsoft's plans to equip Windows Defender with a new ransomware protection feature

The principle of CFA is very simple: if an application tries to make changes to the contents of protected folders, Windows Defender maps this application to its "whitelists" (that is, to lists of applications that are allowed to make such changes) and, if this application is not there, all its activities are immediately blocked, and the program itself is blacklisted.

By default, "key" user folders are protected - "Desktop," "Documents," "Images" and "Video." It is impossible to remove protection from them. The user, by choice, can add any other folders to the protected list.

As for authorized or unauthorized applications, according to Microsoft, most of the legitimate programs that exist today are already on the white list. Windows Defender will allow the user to arbitrarily whitelist new applications, but this is recommended only in the most exceptional cases.

The question immediately arises how simple or difficult it will be for users themselves to disable this function, "says Georgy Lagoda, CEO of SEC-Consult Services. - Attackers can use social engineering to try to force users or put their malware on trusted lists, which will make the system virtually defenseless. There are many examples of how attackers tricked users into activating default macros in Microsoft Office, thereby opening the way for a successful attack.

Georgy Lagoda also noted that Windows users often turn off Windows Defender altogether when installing a third-party antivirus.

Controlled Folder Access technology will be added to Windows in October-November this year, along with a massive Windows 10 update codenamed Redstone 3 or Fall Creators Update. You will have to activate this function manually.

2011: Beta

Microsoft released in December 2011 a fresh beta version of the Windows Defender Offline product, which provides reliable protection of Windows systems from spyware. The application runs from a DVD or portable USB drive and provides a quick and thorough check of the computer before booting the OS.

Many users are familiar with the Windows Defender product. This integrated component of operating systems Vista and Windows 7 allows you to detect and remove malware and prevent it from entering the system. The main drawback of the standard "defender" is the fact that it starts after loading the OS and cannot withstand the most sophisticated threats. This flaw has been fixed in the Windows Defender Offline application.

Windows Defender Offline will check your computer for hidden and stealth threats, such as rootkits or viruses, that do not require a constantly active process and are triggered when the computer is turned on or at any time. In order to appreciate the advantages of the proposed solution, the user must write the program to removable media and ensure that it is launched before loading the operating system. Even beginners will be able to prepare the application for work. The convenient "defender" interface, step by step, leads the user through the entire process of creating a boot disk or "flash drive."

A properly configured utility interrupts the standard Windows boot process and displays the familiar Windows Defender interface. From here, the user can initiate a quick, full or selective scan of the Windows operating system. The developers assure that this approach will not leave deeply embedded malware a single chance for survival.

Notes