Windows Defender - Demystifying and Bypassing ASR by Understanding the AV's Signatures

Understanding the signature format and modules of Windows Defender

• Windows Defender uses the Intel TDT technology and machine learning classifiers for scanning
• Strum signatures are used to look up for strings in files and can be used for evasion
• Delta VDM files contain minor updates and are merged during the parsing process
• The signature database is distributed in modules, each registering callbacks for specific functions
• Exclusions and bypasses exist for certain scenarios and applications

The presenter demonstrated how creating a file with only one line in a directory named 'think cell' was blocked by Windows Defender, but creating the same file in a directory named 'think' allowed it to be created and launched. This illustrates how understanding the rules and exclusions of Windows Defender can help in bypassing its scanning.

Windows Defender is the Windows' built-in antivirus software, giving it a place in most information systems. But still, its signature format is yet undocumented.This talk tries to rectify this situation. This knowledge will then be used to demonstrate signature evasion for auditor's common tooling.Looking deeper, it will also highlight how Attack Surface Reduction, a technology used to prevent common offending patterns, actually works. It will benefit both Blue teams - to keep an eye on its blind spots - and Red teams - with a bypassing example.Finally, the format understanding provides a new possibility: updates diffing - a way to track the current interests of Windows Defender team.