Windows Defender - Demystifying and Bypassing ASR by Understanding the AV's Signatures

Presented at Black Hat Europe 2021, Nov. 10, 2021, 1:30 p.m. (40 minutes).

Windows Defender is the Windows' built-in antivirus software, giving it a place in most information systems. But still, its signature format is yet undocumented.

This talk tries to rectify this situation. This knowledge will then be used to demonstrate signature evasion for auditor's common tooling.

Looking deeper, it will also highlight how Attack Surface Reduction, a technology used to prevent common offending patterns, actually works. It will benefit both Blue teams - to keep an eye on its blind spots - and Red teams - with a bypassing example.

Finally, the format understanding provides a new possibility: updates diffing - a way to track the current interests of Windows Defender team.

Presenters:

• Camille Mougey - Technical Auditor, ANSSI
  Camille Mougey (@commial) is a security researcher working at ANSSI. He enjoys reverse engineering, math and looking under the hood at algorithms and products to understand how to tweak them. He used to work on DRM obfuscation (REcon '14) and reverse engineering tooling (REcon '17, Black Hat USA '18).

Links:

• https://www.blackhat.com/eu-21/briefings/schedule/#windows-defender---demystifying-and-bypassing-asr-by-understanding-the-av39s-signatures-24866
• https://www.blackhat.com/eu-21/briefings/schedule/#windows-defender---demystifying-and-bypassing-asr-by-understanding-the-av39s-signatures-248661633367365

Similar Presentations:

• Black Hat USA 2018 / Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
• Summercon 2018 / REVERSE ENGINEERING WINDOWS DEFENDER ANTIVIRUS
• DEF CON 31 (2023) / Defender-Pretender: When Windows Defender Updates Become a Security Risk