Author Archive

Windows Defender Antivirus can now run in a sandbox

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox. With this new development, Windows Defender Antivirus becomes the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security.

Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community. It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing.

While it was a tall order, we knew it was the right investment and the next step in our innovation journey. It is available to Windows Insiders today. We encourage researchers and partners to try and examine this feature and give us feedback, so we can fine-tune performance, functionality, and security before we make it broadly available.

Why sandbox? Why now?

From the beginning, we designed and built Windows Defender Antivirus to be resistant to attacks. In order to inspect the whole system for malicious content and artifacts, it runs with high privileges. This makes it a candidate for attacks.

Security researchers both inside and outside of Microsofthave previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antiviruss content parsers that could enable arbitrary code execution. While we havent seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously. We immediately fixed potential problems and ramped up our own research and testing to uncover and resolve other possible issues.

At the same time, we continued hardening Windows 10 in general against attacks. Hardware-based isolation, network protection, controlled folder access, exploit protection, and other technologies reduce the attack surface and increase attacker costs. Notably, escalation of privilege from a sandbox is so much more difficult on the latest versions of Windows 10. Furthermore, the integration of Windows Defender Antivirus and other Windows security technologies into Windows Defender ATPs unified endpoint security platform allows signal-sharing and orchestration of threat detection and remediation across components.

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. This is part of Microsofts continued investment to stay ahead of attackers through security innovations. Windows Defender Antivirus and the rest of the Windows Defender ATP stack now integrate with other security components of Microsoft 365 to form Microsoft Threat Protection. Its more important than ever to elevate security across the board, so this new enhancement in Windows Defender Antivirus couldnt come at a better time.

Implementing a sandbox for Windows Defender Antivirus

Modern antimalware products are required to inspect many inputs, for example, files on disk, streams of data in memory, and behavioral events in real time. Many of these capabilities require full access to the resources in question. The first major sandboxing effort was related to layering Windows Defender Antiviruss inspection capabilities into the components that absolutely must run with full privileges and the components that can be sandboxed. The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. At the same time, we had to minimize the number of interactions between the two layers in order to avoid a substantial performance cost.

The ability to gradually deploy this feature was another important design goal. Because we would be enabling this on a wide range of hardware and software configurations, we aimed to have the ability at runtime to decide if and when the sandboxing is enabled. This means that the entire content scanning logic can work both in-proc and out-of-proc, and it cant make any assumptions about running with high privileges.

Performance is often the main concern raised around sandboxing, especially given that antimalware products are in many critical paths like synchronously inspecting file operations and processing and aggregating or matching large numbers of runtime events. To ensure that performance doesnt degrade, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time, only perform these interactions in key moments where their cost would not be significant, for example, when IO is being performed.

Windows Defender Antivirus makes an orchestrated effort to avoid unnecessary IO, for example, minimizing the amount of data read for every inspected file is paramount in maintaining good performance, especially on older hardware (rotational disk, remote resources). Thus, it was crucial to maintain a model where the sandbox can request data for inspection as needed, instead of passing the entire content. An important note: passing handles to the sandbox (to avoid the cost of passing the actual content) isnt an option because there are many scenarios, such as real-time inspection, AMSI, etc., where theres no sharable handle that can be used by the sandbox without granting significant privileges, which decreases the security.

Resource usage is also another problem that required significant investments: both the privileged process and the sandbox process needed to have access to signatures and other detection and remediation metadata. To avoid duplication and preserve strong security guarantees, i.e., avoid unsafe ways to share state or introducing significant runtime cost of passing data/content between the processes, we used a model where most protection data is hosted in memory-mapped files that are read-only at runtime. This means protection data can be hosted into multiple processes without any overhead.

Another significant concern around sandboxing is related to the inter-process communication mechanism to avoid potential problems like deadlocks and priority inversions. The communication should not introduce any potential bottlenecks, either by throttling the caller or by limiting the number of concurrent requests that can be processed. Moreover, the sandbox process shouldn’t trigger inspection operations by itself. All inspections should happen without triggering additional scans. This requires fully controlling the capabilities of the sandbox and ensuring that no unexpected operations can be triggered. Low-privilege AppContainers are the perfect way to implement strong guarantees because the capabilities-based model will allow fine-grained control on specifying what the sandbox process can do.

Lastly, a significant challenge from the security perspective is related to content remediation or disinfection. Given the sensitive nature of the action (it attempts to restore a binary to the original pre-infection content), we needed to ensure this happens with high privileges in order to mitigate cases in which the content process (sandbox) could be compromised and disinfection could be used to modify the detected binary in unexpected ways.

Once the sandboxing is enabled, customers will see a content process MsMpEngCP.exe running alongside with the antimalware service MsMpEng.exe.

The content processes, which run with low privileges, also aggressively leverage all available mitigation policies to reduce the attack surface. They enable and prevent runtime changes for modern exploit mitigation techniques such as Data Execution Prevention (DEP), Address space layout randomization (ASLR), and Control Flow Guard (CFG). They also disable Win32K system calls and all extensibility points, as well as enforce that only signed and trusted code is loaded. More mitigation policies will be introduced in the future, alongside other techniques that aim to reduce even further the risk of compromise, such as multiple sandbox processes with random assignment, more aggressive recycling of sandbox processes without a predictable schedule, runtime analysis of the sandbox behavior, and others.

How to enable sandboxing for Windows Defender Antivirus today

We’re in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation.

Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.

Looking ahead: Broader availability and continuous innovation

To implement sandboxing for Windows Defender Antivirus, we took a lot of inputs from the feedback, suggestions, and research from our peers in the industry. From the beginning, we saw this undertaking as the security industry and the research community coming together to elevate security. We now call on researchers to follow through, as we did, and give us feedback on the implementation.

Windows Defender Antivirus is on a path of continuous innovation. Our next-gen antivirus solution, which is powered by artificial intelligence and machine learning and delivered in real-time via the cloud, is affirmed by independent testers, adoption in the enterprise, and customers protected every day from malware campaigns big and small. Were excited to roll out this latest enhancement to the rest of our customers.

And we are committed to continue innovating. Were already working on new anti-tampering defenses for Windows Defender Antivirus. This will further harden our antivirus solution against adversaries. Youll hear about these new efforts soon. Windows Defender Antivirus and the rest of the Windows Defender Advanced Threat Protection will continue to advance and keep on leading the industry in raising the bar for security.



Mady Marinescu
Windows Defender Engineering team
with Eric Avena
Content Experience team



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender Antivirus can now run in a sandbox appeared first on Microsoft Secure.

Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV

September 27th, 2018 No comments

Consider this scenario: Two never-before-seen, heavily obfuscated scripts manage to slip past file-based detection and dynamically load an info-stealing payload into memory. The scripts are part of a social engineering campaign that tricks potential victims into running the scripts, which use the file names install_flash_player.js and BME040429CB0_1446_FAC_20130812.XML.PDF.js, to distribute and run the payload.

The payload is sophisticated and particularly elusive, given that it:

  • Doesnt touch the disk, and does not trigger antivirus file scanning
  • Is loaded in the context of the legitimate process that executed the scripts (i.e., wscript.exe)
  • Leaves no traces on the disk, such that forensic analysis finds limited evidence

These are markers of a fileless threat. Still, Windows Defender Advanced Threat Protection (Windows Defender ATP) antivirus capabilities detect the payload, stopping the attack in its tracks. How is this possible?

In this scenario, Antimalware Scan Interface (AMSI) facilitates detection. AMSI is an open interface that allows antivirus solutions to inspect script behavior by exposing script contents in a form that is both unencrypted and unobfuscated.

AMSI is part of the range of dynamic next-gen features that enable antivirus capabilities in Windows Defender ATP to go beyond file scanning. These features, which also include behavior monitoring, memory scanning, and boot sector protection, catch a wide spectrum of threats, including new and unknown (like the two scripts described above), fileless threats (like the payload), and other sophisticated malware.

Generically detecting fileless techniques

The two aforementioned obfuscated scripts are actual malware detected and blocked in the wild by antivirus capabilities in Windows Defender ATP. Removing the first layer of obfuscation reveals a code that, while still partially obfuscated, showed some functions related to a fileless malware technique called Sharpshooter. We found the two scripts, which were variants of the same malware, not long after the Sharpshooter technique was documented and published by MDSec in 2017.

The Sharpshooter technique allows an attacker to use a script to execute a .NET binary directly from memory without ever needing to reside on the disk. This technique provides a framework that can enable attackers to easily repackage the same binary payload within a script. As demonstrated by the example of the two scripts, files that use the Sharpshooter technique can then be used in social engineering attacks to lure users into running the script to deliver a fileless payload.

Screenshot of obfuscated scriptFigure 1. Obfuscated code from install_flash_player.js script

Screenshot of the script which contains functions typically used in the Sharpshooter technique

Figure 2. After de-obfuscation, the script contains functions typically used in the Sharpshooter technique

When the Sharpshooter technique became public, we knew it was only a matter time before it would be used it in attacks. To protect customers from such attacks, we implemented a detection algorithm based on runtime activity rather than on the static script. In other words, the detection is effective against the Sharpshooter technique itself, thus against new and unknown threats that implement the technique. This is how Windows Defender ATP blocked the two malicious scripts at first sight, preventing the fileless payload from being loaded.

The detection algorithm leverages AMSI support in scripting engines and targets a generic malicious behavior (a fingerprint of the malicious fileless technique). Script engines have the capability to log the APIs called by a script at runtime. This API logging is dynamic and is therefore not hindered by obfuscation: a script can hide its code, but it cannot hide its behavior. The log can then be scanned by antivirus solutions via AMSI when certain dangerous APIs (i.e., triggers) are invoked.

This is the dynamic log generated by the scripts and detected by Windows Defender ATP at runtime via AMSI:

Screenshot of the dynamic AMSI log generated during the execution of the Sharpshooter techniqueFigure 3. Dynamic AMSI log generated during the execution of the Sharpshooter technique in the two malicious scripts

Using this AMSI-aided detection, Windows Defender ATP disrupted two distinct malware campaigns in June, as well as the steady hum of daily activities.

Windows Defender ATP telemetry shows two Sharpshooter campaigns in JuneFigure 4. Windows Defender ATP telemetry shows two Sharpshooter campaigns in June

Furthermore, generically detecting the Sharpshooter technique allowed us to discover a particularly sophisticated and interesting attack. Windows Defender ATPs endpoint and detection response capabilities caught a VBScript file that used the Sharpshooter technique.

Sample Windows Defender ATP alert showing how detection of the Sharpshooter technique by Windows Defender AV is surfaced in Windows Defender Security CenterFigure 5. Sample Windows Defender ATP alert showing how detection of the Sharpshooter technique by Windows Defender AV is surfaced in Windows Defender Security Center

We analyzed the script and extracted the fileless payload, a very stealthy .NET executable. The malware payload downloads data from its command-and-control (C&C) server via the TXT records of DNS queries. In particular, it downloads the initialization vector and decryption key necessary to decode the core of the malware. The said core is also fileless because its executed directly in memory without being written on the disk. Thus, this attack leveraged two fileless stages.

Screenshot showing that the core component of the malware is decrypted and executed from memoryFigure 6. The core component of the malware is decrypted and executed from memory

Our investigation into the incident turned up enough indicators for us to conclude that this was likely a penetration testing exercise or a test involving running actual malware, and not a real targeted attack.

Nonetheless, the use of fileless techniques and the covert network communication hidden in DNS queries make this malware similar in nature to sophisticated, real-world attacks. It also proved the effectiveness of the dynamic protection capabilities of Windows Defender ATP. In a previous blog post, we documented how such capabilities allow Windows Defender ATP to catch KRYPTON attacks and other high-profile malware.

Upward trend in fileless attacks and living off the land

Removing the need for files is the next progression of attacker techniques. Antivirus solutions have become very efficient in detecting malicious executables. Real-time protection gives visibility on each new file that lands on the disk. Furthermore, file activity leaves a trail of evidence that can be retrieved during forensic analysis. That’s why we are seeing an increase in attacks that use of malware with fileless techniques.

At a high level, a fileless malware runs its main payload directly in memory without having to drop the executable file on the disk first. This differs from traditional malware, where the payload always requires some initial executable or DLL to carry out its tasks. A common example is the Kovter malware, which stores its executable payload entirely in registry keys. Going fileless allows the attackers to avoid having to rely on physical files and improve stealth and persistence.

For attackers, building fileless attacks poses some challenges; in primis: how do you execute code if you don’t have a file? Attackers found an answer in the way they infect other components to achieve execution within these components environment. Such components are usually standard, legitimate tools that are present by default on a machine and whose functionality can be abused to accomplish malicious operations.

This technique is usually referred to as “living off the land”, as malware only uses resources already available in the operating system. An example is the Trojan:Win32/Holiks.A malware abusing the mshta.exe tool:

Trojan:Win32/Holiks.A is abusing mshta.exe to execute a script from command-lineFigure 7. Trojan:Win32/Holiks.A is abusing mshta.exe to execute a script from command-line

The malicious script resides only in the command line; it loads and executes further code from a registry key. The whole execution happens within the context of the mshta.exe process, which is a clean executable and tends to be trusted as a legitimate component of the operating system. Other similar tools, such as cmstp.exe, regsvr32.exe, powershell.exe, odbcconf.exe, rundll3.exe, just to name a few, have been abused by attackers. Of course, the execution is not limited to scripts; the tools may allow the execution of DLLs and executables, even from remote locations in some cases.

By living off the land, fileless malware can cover its tracks: no files are available to the antivirus for scanning and only legitimate processes are executed. Windows Defender ATP overcomes this challenge by monitoring the behavior of the system for anomalies or known patterns of malicious usage of legitimate tools. For example, Trojan:Win32/Powemet.A!attk is a generic behavior-based detection designed to prevent attacks that leverage the regsvr32.exe tool to run malicious scripts.

Antivirus capabilities Windows Defender ATP blocking legitimate regsvr32 tool abused to download and run a malicious remote scriptFigure 8. Antivirus capabilities in Windows Defender ATP blocking legitimate regsvr32 tool abused to download and run a malicious remote script

What exactly is fileless?

The term fileless suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, theres no generally accepted definition. The term is used broadly; its also used to describe malware families that do rely on files in order to operate. In the Sharpshooter example, while the payload itself is fileless, the entry point relies on scripts that need to be dropped on the targets machine and executed. This, too, is considered a fileless attack.

Given that attacks involve several stages for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.

To shed light on this loaded term, we grouped fileless threats into different categories.

Taxonomy of fileless threats

Figure 9. Taxonomy of fileless threats

We can classify fileless threats by their entry point (i.e., execution/injection, exploit, hardware), then the form of entry point (e.g., file, script, etc.), and finally by the host of the infection (e.g., Flash, Java, documents).

From this classification, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.

  • Type I: No file activity performed. A completely fileless malware can be considered one that never requires writing a file on the disk.
  • Type II: No files written on disk, but some files are used indirectly. There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type do not directly write files on the file system, but they can end up using files indirectly.
  • Type III: Files required to achieve fileless persistence. Some malware can have some sort of fileless persistence but not without using files in order to operate.

Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.

Exploits Hardware Execution or injection

  • File-based (Type III: executable, Flash, Java, documents)
  • Network-based (Type I)

  • Device-based (Type I: network card, hard disk)
  • CPU-based (Type I)
  • USB-based (Type I)
  • BIOS-based (Type I)
  • Hypervisor-based (Type I)

  • File-based (Type III: executables, DLLs, LNK files, scheduled tasks)
  • Macro-based (Type III: Office documents)
  • Script-based (Type II: file, service, registry, WMI repo, shell)
  • Disk-based (Type II: Boot Record)

For a detailed description and examples of these categories, visit this comprehensive page on fileless threats.

Defeating fileless malware with next-gen protection

File-based inspection is ineffective against fileless malware. Antivirus capabilities in Windows Defender ATP use defensive layers based on dynamic behavior and integrate with other Windows technologies to detect and terminate threat activity at runtime.

Windows Defender ATPs next-gen dynamic defenses have become of paramount importance in protecting customers from the increasingly sophisticated attacks that fileless malware exemplifies. In a previous blog post we described some of the offensive and defensive technologies related to fileless attacks and how these solutions help protect our customers. Evolving from the file-centric scanning model, Windows Defender ATP uses a generic and more powerful behavior-centric detection model to neutralize generic malicious behaviors and thus take out entire classes of attack.


Antimalware Scan Interface (AMSI) is an open framework that applications can use to request antivirus scans of any data. Windows leverages AMSI extensively in JavaScript, VBScript, and PowerShell. In addition, Office 365 client applications integrates with AMSI, enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior. In the example above, we have shown how AMSI can be a powerful weapon to fight fileless malware.

Windows Defender ATP has implemented AMSI provider and consumes all AMSI signals for protection, these signals are especially effective against obfuscation. It has led to the disruption of malware campaigns like Nemucod. During a recent investigation, we stumbled upon some malicious scripts that were heavily obfuscated. We collected three samples that were evading static signatures and are a mixture of barely recognizable script code and binary junk data.

Heavy obfuscation of three different samples of TrojanDownloader:Script/Nemucod.JACFigure 10. Heavy obfuscation of three different samples of TrojanDownloader:Script/Nemucod.JAC.

However, after manual de-obfuscation, it turned out that these samples decode and execute the same .js script payload, a known downloader:

A portion of the second stage downloader decrypted by Nemucod.JACFigure 11: A portion of the second stage downloader decrypted by Nemucod.JAC

The payload does not have any obfuscation and is very easy to detect, but it never touches the disk and so could evade file-based detection. However, the scripting engine is capable of intercepting the attempt to execute the decoded payload and ensuring that the payload is passed to the installed antivirus via AMSI for inspection. Windows Defender ATP has visibility on the real payload as its decoded at runtime and can easily recognize known patterns and block the attack before it deals any damage.

Instead of writing a generic detection algorithm based on the obfuscation patterns in the samples, we trained an ML model on this behavior log and wrote heuristic detection to catch the decrypted scripts inspected via AMSI. The results proved effective, catching new and unknown variants, protecting almost two thousand machines in a span of two months. Traditional detection would not have been as effective.

Nemucod.JAC attack campaigns caught via AMSIFigure 12. Nemucod.JAC attack campaigns caught via AMSI

Behavior monitoring

Windows Defender ATPs behavior monitoring engine provides an additional layer of antivirus protection against fileless malware. The behavior monitoring engine filters suspicious API calls. Detection algorithms can then match dynamic behaviors that use particular sequences of APIs with specific parameters and block processes that expose known malicious behaviors. Behavior monitoring is useful not only for fileless malware, but also for traditional malware where the same malicious code base gets continuously repacked, encrypted, or obfuscated. Behavior monitoring proved effective against WannaCry, which was distributed through the DoublePulsar backdoor and can be categorized as a very dangerous Type I fileless malware. While several variants of the WannaCry binaries were released in attack waves, the behavior of the ransomware remained the same, allowing antivirus capabilities in Windows Defender ATP to block new versions of the ransomware.

Behavior monitoring is particularly useful against fileless attacks that live off the land. The PowerShell reverse TCP payload from Meterpreter is an example: it can be run completely on a command line and can provide a PowerShell session to a remote attacker.

Example of a possible command line generated by MeterpreterFigure 13. Example of a possible command line generated by Meterpreter

Theres no file to scan in this attack, but through behavior monitoring in its antivirus capabilities, Windows Defender ATP can detect the creation of the PowerShell process with the particular command line required. Behavior monitoring detects and blocks numerous attacks like this on a daily basis.

Detections of the PowerShell reverse TCP payloadFigure 14. Detections of the PowerShell reverse TCP payload

Beyond looking at events by process, behavior monitoring in Windows Defender ATP can also aggregate events across multiple processes, even if they are sparsely connected via techniques like code injection from one process to another (i.e., not just parent-child processes). Moreover, it can persist and orchestrate sharing of security signals across Windows Defender ATP components (e.g., endpoint detection and response) and trigger protection through other parts of the layered defenses.

Behavior monitoring across multiple processes is not only an effective protection against fileless malware; its also a tool to catch attack techniques in generic ways. Here is another example where multi process behavior monitoring in action, Pyordono.A is a detection based on multi-process events and is aimed at blocking scripting engines (JavaScript, VBScript, Office macros) that try to execute cmd.exe or powershell.exe with suspicious parameters. Windows Defender ATP telemetry shows this detection algorithm protecting users from several campaigns.

Pyordono.A technique detected in the wildFigure 15. Pyordono.A technique detected in the wild

Recently, we saw a sudden increase in Pyordono.A encounters, reaching levels way above the average. We investigated this anomaly and uncovered a widespread campaign that used malicious Excel documents and targeted users in Italy from September 8 to 12.

Screenshot of malicious Excel document with instructions in Italian to click Enable contentFigure 16. Malicious Excel document with instructions in Italian to click Enable content

The document contains a malicious macro and uses social engineering to lure potential victims into running the malicious code. (Note: We have recently integrated Office 365 clients apps with AMSI, enabling antivirus solutions to scan macros at runtime to check for malicious content).

The obfuscated macro code attempts to run an obfuscated Cmd command which in turns executes an obfuscated Powershell script. In the end, the Ursnif trojan is delivered.Figure 17. The obfuscated macro code attempts to run an obfuscated Cmd command which in turns executes an obfuscated Powershell script. In the end, the Ursnif trojan is delivered.

The macro makes use of obfuscation to execute a cmd command, which is also obfuscated. The cmd command executes a PowerShell script that in turn downloads additional data and delivers the payload, infostealing Ursnif. We recently reported a small-scale Ursnif campaign that targeted small businesses in specific US cities. Through multi-process behavior monitoring, Windows Defender ATP detected and blocked the new campaign targeting users in Italy using a generic detection algorithm without prior knowledge of the malware.

Memory scanning

Antivirus capabilities in Windows Defender ATP also employ memory scanning to detect the presence of malicious code in the memory of a running process. Even if malware can run without the use of a physical file, it does need to reside in memory in order to operate and is therefore detectable by means of memory scanning. An example is the GandCrab ransomware, which was reported to have become fileless. The payload DLL is encoded in a string, then decoded and run dynamically via PowerShell. The DLL itself is never dropped on the disk. Using memory scanning, Windows Defender ATP can scan the memory of running processes and detect known patterns of the ransomware run from the stealthy DLL.

Memory scanning, in conjunction with behavior monitoring and other dynamic defenses, helped Windows Defender ATP to disrupt a massive Dofoil campaign. Dofoil, a known nasty downloader, uses some sophisticated techniques to evade detection, including process hollowing, which allows the malware to execute in the context of a legitimate process (e.g., explorer.exe). To this day, memory scanning detects Dofoil activities.

Detections of the memory-resident Dofoil payloadFigure 18. Detections of the memory-resident Dofoil payload

Memory scanning is a versatile tool: when suspicious APIs or behavior monitoring events are observed at runtime, antivirus capabilities in Windows Defender ATP trigger a memory scan in key points it is more likely to observe (and detect) a payload that has been decoded and may be about to run. This gives Windows Defender ATP granular control on which actions are more interesting and may require more attention. Every day, memory scanning allows Windows Defender ATP to protect thousands of machines against active high-profile threats like Mimikatz and WannaCry.

Boot Sector protection

With Controlled folder access on Windows 10, Windows Defender ATP does not allow write operations to the boot sector, thus closing a dangerous fileless attack vector used by Petya, BadRabbit, and bootkits in general. Boot infection techniques can be suitable for fileless threats because it can allow malware to reside outside of the file system and gain control of the machine before the operating system is loaded. The use of rootkit techniques, like in the defunct Alureon malware (also known as TDSS or TDL-4), can then render the malware invisible and extremely difficult to detect and remove. With Controlled folder access, which is part of Windows Defender ATPs attack surface reduction capabilities, this entire class of infection technique has become a thing of the past.

Control Folder Access preventing a boot sector infection attempted by PetyaFigure 19. Control Folder Access preventing a boot sector infection attempted by Petya

Windows 10 in S mode: Naturally resistant to fileless attacks

Windows 10 in S mode comes with a preconfigured set of restrictions and policies that make it naturally protected against a vast majority of the fileless techniques (and against malware in general). Among the available security features, the following ones are particularly effective against fileless threats:

For executables: Only Microsoft-verified applications from the Microsoft Store are allowed to run. Furthermore, Device Guard provides User Mode Code Integrity (UMCI) to prevent the loading of unsigned binaries.

For scripts: Scripting engines are not allowed to run (including JavaScript, VBScript, and PowerShell).

For macros: Office 365 does not allow the execution of macros in documents from the internet (for example, documents that are downloaded or received as attachment in emails from outside the organization).

For exploits: Exploit protection and Attack surface reduction rules are also available on Windows 10 in S mode as a consistent barrier against exploitation.

With these restrictions in place, Windows 10 in S mode devices are in a robust, locked down state, removing crucial attack vectors used by fileless malware.


As antivirus solutions become better and better at pinpointing malicious files, the natural evolution of malware is to shift to attack chains that use as few files as possible. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, too.

At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable generic detections that are effective against a wide range of threats. Through AMSI, behavior monitoring, memory scanning, and boot sector protection, we can inspect threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.

Security solutions on Windows 10 integrate into a unified endpoint security platform in Windows Defender Advanced Threat Protection. Windows Defender ATP includes attack surface reduction, next-generation protection, endpoint protection and response, auto investigation and remediation, security posture, and advanced hunting capabilities. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

Protections against fileless and other threats are shared across Microsoft 365, which integrate technologies in Windows, Office 365, and Azure. Through the Microsoft Intelligent Security Graph, security signals are shared and remediation is orchestrated across Microsoft 365.



Andrea Lelli
Windows Defender Research







Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV appeared first on Microsoft Secure.

Protecting the modern workplace from a wide range of undesirable software

Security is a fundamental component of the trusted and productive Windows experience that we deliver to customers through modern platforms like Windows 10 and Windows 10 in S mode. As we build intelligent security technologies that protect the modern workplace, we aim to always ensure that customers have control over their devices and experiences.

To protect our customers from the latest threats, massive amounts of security signals and threat intelligence from the Microsoft Intelligent Security Graph are processed by security analysts and intelligent systems that identify malicious and other undesirable software. Our evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. This classification of threats is reflected in the protection delivered by the Windows Defender Advanced Threat Protection (Windows Defender ATP) unified endpoint security platform.

Malware: Malicious software and unwanted software

Among the big classifications of threats, customers may be most familiar with malicious software. Malicious software might steal personal information, lock devices until a ransom is paid, use devices to send spam, or download other malicious software. Examples of these types of threats are keyloggers and ransomware. Malware can get into devices through various infection vectors, including exploits, which undermine users choice and control of their devices. Windows Defender ATP’s next generation protections detect and block these malicious programs using local machine learning models, behavior-based detection, generics and heuristics, and cloud-based machine learning models and data analytics.

Some threats, on the other hand, are classified as unwanted software. These are applications that dont keep customers in control of devices through informed choices and accessible controls are considered unwanted. Examples of unwanted behavior include modifying browsing experience without using supported browser extensibility models, using alarming and coercive messages to scare customers into buying premium versions of software, and not providing a clear and straightforward way to install, uninstall or disable applications. Like malicious software, unwanted software threats are malware.

Using a model that leverages predictive technologies, machine learning, applied science, and artificial intelligence powers Windows Defender ATP to detect and stop malware at first sight, as reflected in consistently high scores in independent antivirus tests.

Potentially unwanted applications

Some applications do not exhibit malicious behavior but can adversely impact the performance or use of devices. We classify these as potentially unwanted applications (PUA). For example, we noted the increased presence of legitimate cryptocurrency miners in enterprise environments. While some forms of cryptocurrency miners are not malicious, they may not be authorized in enterprise networks because they consume computing resources.

Unlike malicious software and unwanted software, potentially unwanted applications are not malware. Enterprise security administrators can use the PUA protection feature to block these potentially unwanted applications from downloading and installing on endpoints. PUA protection is enabled by default in Windows Defender ATP when managed through System Center Configuration Manager.

In March 2018, we started surfacing PUA protection definitions on VirusTotal. We have also updated our evaluation criteria page to describe the specific categories and descriptions of software that we classify as PUA. These are:

Browser advertising software: Software that displays advertisements or promotions or prompts the user to complete surveys for other products or services in software other than itself. This includes, for example, software that inserts advertisements in browser webpages.

Torrent software: Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.

Cryptomining software: Software that uses your computer resources to mine cryptocurrencies.

Bundling software: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA based on the criteria outlined in this document.

Marketing software: Software that monitors and transmits the activities of the user to applications or services other than itself for marketing research.

Evasion software: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

Poor industry reputation: Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.

Customer protection is our top priority. Windows Defender Advanced Threat Protection (Windows Defender ATP) incorporates next-generation protection, attack surface reduction, endpoint detection and response, and automated investigation and remediation, and advanced hunting capabilities. We adjust, expand, and update our evaluation criteria based on customer feedback as well as new and emerging trends in the threat landscape. We encourage customers to help us identify new threats and other undesirable software by submitting programs that exhibit behaviors outlined in the evaluation criteria.



Michael Johnson

Windows Defender Research






Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Sharing research and discoveries at PWN2OWN

The annual PWN2OWN exploit contest at the CanSecWest conference in Vancouver, British Columbia, Canada, brings together some of the top security talent from across the globe in a friendly competition. For the participants, these events are a platform to demonstrate world-class skills and vie for significant cash prizes. For companies like Microsoft, where we have a large number of teams focused on security, contests like this provide an additional avenue for external input from researchers. It is this community collaboration that led us to partner with Trend Micro/ZDI to sponsor this years contest.

Microsoft regularly leverages input from the community using programs such as bug bounties and the BlueHat prize in a relentless pursuit to improve the security of our products and expand our understanding of the latest threats.

Exploit contests are great opportunities as it allows Microsoft engineers to exchange ideas face-to-face with the community. This includes intricate details such as attack approaches, techniques used, and opportunities for improvement against similar attacks. While bug bounty programs focus on vulnerabilities, contests like PWN2OWN focus on exploit chains which typically are only seen in real attacks. The opportunity to understand exploits without impact to customers is invaluable. Microsoft has used this to drive security innovations into the platform and in products like Microsoft Edge. Microsoft sponsored several competition targets running the latest Windows Insider preview builds for on Microsoft Surface devices to help direct the community to gain insight into some of our most important areas. None of the competition targets running the latest Windows insider previewer were successfully exploited by contestants.

To demonstrate the effectiveness of this partnership, Microsoft provided an overview of some of the mitigations influenced by offensive security research community in a recent blackhat presentation.

These innovations include:

  • Windows Defender Application Guard which uses virtualization security to protect against kernel-based sandbox attacks
  • Control Flow Guard (CFG) and Microsoft Edges JIT and code integrity protection, which mitigates many of the common techniques leveraged in past competitions
  • Microsoft Edges improved sandbox, which reduces previous attack surface by 90%

We believe this engagement with researchers has resulted in durable, real-world protection for customers. As an example, Microsoft Edge has still not been impacted by a zero-day exploit in the wild. In addition, this years PWN2OWN entries were not able to escape the Windows Defender Application Guard isolation protection.

Engaging with the research community and creating platforms for transparent information sharing across the wider defender community is a key part of Microsofts strategy to keep customers safe. We will continue to push for deeper collaboration through future events and programs.

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Categories: cybersecurity, Windows, Windows 10 Tags:

Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak

On March 7, we reported that a massive Dofoil campaign attempted to install malicious cryptocurrency miners on hundreds of thousands of computers. Windows Defender Antivirus, with its behavior monitoring, machine learning technologies, and layered approach to security detected and blocked the attack within milliseconds.Windows 10 S, a special configuration of Windows 10 providing Microsoft-verified security, was not vulnerable to this attack.

Immediately upon discovering the attack, we looked into the source of the huge volume of infection attempts. Traditionally, Dofoil (also known as Smoke Loader) is distributed in multiple ways, including spam email and exploit kits. In the outbreak, which began in March 6, a pattern stood out: most of the malicious files were written by a process called mediaget.exe.

This process is related to MediaGet, a BitTorrent client that we classify as potentially unwanted application (PUA). MediaGet is often used by people looking to download programs or media from websites with dubious reputation. Downloading through peer-to-peer file-sharing apps like this can increase the risk of downloading malware.

During the outbreak, however, Dofoil didnt seem to be coming from torrent downloads. We didnt see similar patterns in other file-sharing apps. The process mediaget.exe always wrote the Dofoil samples to the %TEMP% folder using the file name my.dat. The most common source of infection was the file %LOCALAPPDATA%\MediaGet2\mediaget.exe (SHA-1: 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c).

Tracing the infection timeline

Our continued investigation on the Dofoil outbreak revealed that the March 6 campaign was a carefully planned attack with initial groundwork dating back to mid-February. To set the stage for the outbreak, attackers performed an update poisoning campaign that installed a trojanized version of MediaGet on computers. The following timeline shows the major events related to the Dofoil outbreak.

Figure 1.MediaGet-related malware outbreak timeline (all dates in UTC).

MediaGet update poisoning

The update poisoning campaign that eventually led to the outbreak is described in the following diagram. A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability.

Figure 2. Update poisoning flow

The malicious update process is recorded by Windows Defender ATP. The following alert process tree shows the original mediaget.exe dropping the poisoned signed update.exe.

Figure 3. Windows Defender ATP detection of malicious update process

Poisoned update.exe

The dropped update.exe is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe.

Figure 4.Certificate information of the poisoned update.exe

Update.exe is signed by a third-party developer company completely unrelated with MediaGet and probably also victim of this plot; update.exe was code signed with a different cert just to pass the signing requirement verification as seen in the original mediaget.exe. The update code will check the certificate information to verify whether it is valid and signed. If it is signed, it will check that the hash value matches the value retrieved from the hash server located in infrastructure. The figure below shows a code snippet that checks for valid signatures on the downloaded update.exe.

Figure 5. mediaget.exe update code

Trojanized mediaget.exe

The trojanized mediaget.exe file, detected by Windows Defender AV as Trojan:Win32/Modimer.A, shows the same functionality as the original one, but it is not signed by any parties and has additional backdoor functionality. This malicious binary has 98% similarity to the original, clean MediaGet binary. The following PE information shows the different PDB information and its file path left in the executable.

Figure 6. PDB path comparison of signed and trojanized executable

When the malware starts, it builds a list of command-and-control (C&C) servers.

Figure 7. C&C server list

One notable detail about the embedded C&C list is that the TLD .bit is not an ICANN-sanctioned TLD and is supported via NameCoin infrastructure. NameCoin is a distributed name server system that adopts the concept of blockchain model and provides anonymous domains. Since .bit domains cant be resolved by ordinary DNS servers, the malware embeds a list of 71 IPv4 addresses that serve as NameCoin DNS servers.

The malware then uses these NameCoin servers to perform DNS lookups of the .bit domains. From this point these names are in the machine’s DNS cache and future lookups will be resolved without needing to specify the NameCoin DNS servers.

The first contact to the C&C server starts one hour after the program starts.

Figure 8. C&C connection start timer

The malware picks one of the four C&C servers at random and resolves the address using NameCoin if its a .bit domain. It uses HTTP for command-and-control communication.

Figure 9. C&C server connection

The backdoor code collects system information and sends them to the C&C server through POST request.

Figure 10. System information

The C&C server sends back various commands to the client. The following response shows the HASH, IDLE, and OK commands. The IDLE command makes the process wait a certain time, indicated in seconds (for example, 7200 seconds = 2 hours), before contacting C&C server again.

Figure 11. C&C commands

One of the backdoor commands is a RUN command that retrieves a URL from the C&C server command string. The malware then downloads a file from the URL, saves it as %TEMP%\my.dat, and runs it.

Figure 12. RUN command processing code

This RUN command was used for the distribution of the Dofoil malware starting March 1 and the malware outbreak on March 6. Windows Defender ATP alert process tree shows the malicious mediaget.exe communicating with, one of the identified C&C servers. It then drops and runs my.dat (Dofoil), which eventually leads to the CoinMiner component.

Figure 13.Dofoil, CoinMiner download and execution flow

Figure 14. Windows Defender ATP alert process tree

The malware campaign used Dofoil to deliver CoinMiner, which attempted to use the victims computer resources to mine cryptocurrencies for the attackers. The Dofoil variant used in the attack showed advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Windows Defender ATP can detect these behaviors across the infection chain.

Figure 15. Windows Defender ATP detection for Dofoils process hollowing behavior

We have shared details we uncovered in our investigation with MediaGets developers to aid in their analysis of the incident.

We have shared details of the malicious use of code-signing certificate used in update.exe (thumbprint: 5022EFCA9E0A9022AB0CA6031A78F66528848568) with the certificate owner.

Real-time defense against malware outbreaks

The Dofoil outbreak on March 6, which was built on prior groundwork, exemplifies the kind of multi-stage malware attacks that are fast-becoming commonplace. Commodity cybercrime threats are adopting sophisticated methods that are traditionally associated with more advanced cyberattacks. Windows Defender Advanced Threat Protection (Windows Defender ATP) provides the suite of next-gen defenses that protect customers against a wide range of attacks in real-time.

Windows Defender AV enterprise customers who have enabled the potentially unwanted application (PUA) protection feature were protected from the trojanized MediaGet software that was identified as the infection source of the March 6 outbreak.

Windows Defender AV protected customers from the Dofoil outbreak at the onset. Behavior-based detection technologies flagged Dofoils unusual persistence mechanism and immediately sent a signal to the cloud protection service, where multiple machine learning models blocked most instances at first sight.

In our in-depth analysis of the outbreak, we also demonstrated that the rich detection libraries in Windows Defender ATP flagged Dofoils malicious behaviors throughout the entire infection process. These behaviors include code injection, evasion methods, and dropping a coin mining component. Security operations can use Windows Defender ATP to detect and respond to outbreaks. Windows Defender ATP also integrates protections from Windows Defender AV, Windows Defender Exploit Guard, and Windows Defender Application Guard, providing a seamless security management experience.

For enhanced security against Dofoil and others similar coin miners, Microsoft recommends Windows 10 S. Windows 10 S exclusively runs apps from the Microsoft Store, effectively blocking malware and applications from unverified sources. Windows 10 S users were not affected by this Dofoil campaign.

Windows Defender Research

Indicators of compromise (IOCs)

File name SHA-1 Description Signer Signing date Detection name
mediaget.exe 1038d32974969a1cc7a79c3fc7b7a5ab8d14fd3e Offical mediaget.exe executable GLOBAL MICROTRADING PTE. LTD. 2:04 PM 10/27/2017 PUA:Win32/MediaGet
mediaget.exe 4f31a397a0f2d8ba25fdfd76e0dfc6a0b30dabd5 Offical mediaget.exe executable GLOBAL MICROTRADING PTE. LTD. 4:24 PM 10/18/2017 PUA:Win32/MediaGet
update.exe 513a1624b47a4bca15f2f32457153482bedda640 Trojanized updater executable DEVELTEC SERVICES SA DE CV N/A Trojan:Win32/Modimer.A
mediaget.exe 3e0ccd9fa0a5c40c2abb40ed6730556e3d36af3c,
Trojanized mediaget.exe executable Not signed N/A Trojan:Win32/Modimer.A
my.dat d84d6ec10694f76c56f6b7367ab56ea1f743d284 Dropped malicious executable TrojanDownloader:Win32/Dofoil.AB
wuauclt.exe 88eba5d205d85c39ced484a3aa7241302fd815e3 Dropped CoinMiner Trojan:Win32/CoinMiner.D

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign

Just before noon on March 6 (PST), Windows Defender AV blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Behavior-based signals coupled with cloud-powered machine learning models uncovered this new wave of infection attempts. The trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.

Figure 1: Windows Defender ATP machine timeline view with Windows Defender Exploit Guard event
Figure 1: Geographic distribution of the Dofoil attack components

Windows Defender AV initially flagged the attacks unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to our cloud protect system.

  1. Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight.
  2. Seconds later, our sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation.
  3. Within minutes, an anomaly detection alert notified us about a new potential outbreak.
  4. After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer.

Windows 10, Windows 8.1, and Windows 7 users running Windows Defender AV or Microsoft Security Essentials are all protected from this latest outbreak.

Figure 2. Layered machine learning defenses in Windows Defender AV
Figure 2. Layered machine learning defenses in Windows Defender AV

Artificial intelligence and behavior-based detection in Windows Defender AV has become one of the mainstays of our defense system. The AI-based pre-emptive protection provided against this attack is similar to how layered machine learning defenses stopped an Emotet outbreak last month.

Code injection and coin mining

Dofoil is the latest malware family to incorporate coin miners in attacks. Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks. For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.

The Dofoil campaign we detected on March 6 started with a trojan that performs process hollowing on explorer.exe. Process hollowing is a code injection technique that involves spawning a new instance of legitimate process (in this case c:\windows\syswow64\explorer.exe) and then replacing the legitimate code with malware.

Figure 3. Windows Defender ATP detection for process hollowing (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d, detected by Windows Defender AV as TrojanDownloader:Win32/Dofoil.AB)

The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe.

Figure 4. Windows Defender ATP detection for coin mining malware (SHA-256: 2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120, detected by Windows Defender AV as Trojan:Win32/CoinMiner.D)

Even though it uses the name of a legitimate Windows binary, its running from the wrong location. The command line is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary is suspicious.

Windows Defender ATP alert process tree showing anomalous IP communications
Figure 5. Windows Defender ATP alert process tree showing anomalous IP communications

Windows Defender ATP showing suspicious network activity
Figure 6. Windows Defender ATP showing suspicious network activity

Windows Defender ATP alert process tree
Figure 7. Windows Defender ATP alert process tree

Unlike many coin mining malware that are trojanized versions of legitimate coin miners, the Dofoil component is a bespoke miner. Based on its code, it supports NiceHash, which means it can mine different cryptocurrencies. The samples we analyzed mined Electroneum coins.


For coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources.

To stay hidden, Dofoil modifies the registry. The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. It then replaces the OneDrive entry in the registry Run key, pointingto the newly created malware copy.

Windows Defender ATP alert process tree showing creation of new malware process
Figure 8. Windows Defender ATP alert process tree showing creation of new malware process (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d) and registry modification

Command and communication

Dofoil is an enduring family of trojan downloaders. These connect to command and control (C&C) servers to listen for commands to download and install malware. In the March 6 campaign, Dofoils C&C communication involves the use of the decentralized Namecoin network infrastructure.

The hollowed explorer.exe process writes and runs another binary, D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c) into the Temp folder. D1C6.tmp.exe then drops and executes a copy of itself named lyk.exe. Once running, lyk.exe connects to IP addresses that act as DNS proxy servers for the Namecoin network. It then attempts to connect to the C&C server vinik.bit inside the NameCoin infrastructure. The C&C server commands the malware to connect or disconnect to an IP address; download a file from a certain URL and execute or terminate the specific file; or sleep for a period of time.


 Windows Defender ATP alert process tree showing creation of the temporary file, D1C6.tmp.exe
Figure 9. Windows Defender ATP alert process tree showing creation of the temporary file, D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c)

Stay protected with Windows 10

With the rise in valuation of cryptocurrencies, cybercriminal groups are launching more and more attacks to infiltrate networks and quietly mine for coins.

Windows Defender AVs layered approach to security, which uses behavior-based detection algorithms, generics, and heuristics, as well as machine learning models in both the client and the cloud, provides real-time protection against new threats and outbreaks.

As demonstrated, Windows Defender Advanced Threat Protection (Windows Defender ATP) flags malicious behaviors related to installation, code injection, persistence mechanisms, and coin mining activities. Security operations can use the rich detection libraries in Windows Defender ATP to detect and respond to anomalous activities in the network. Windows Defender ATP also integrates protections from Windows Defender AV, Windows Defender Exploit Guard, and Windows Defender Application Guard, providing a seamless security management experience.

Windows 10 S, a special configuration of Windows 10, helps protect against coin miners and other threats. Windows 10 S works exclusively with apps from the Microsoft Store and uses Microsoft Edge as the default browser, providing Microsoft verified security.


Windows Defender Research



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Categories: cybersecurity Tags:

#AVGater vulnerability does not affect Windows Defender Antivirus, MSE, or SCEP

On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.

Windows Defender Antivirus and other Microsoft antimalware products, including System Center Endpoint Protection (SCEP) and Microsoft Security Essentials (MSE), are not affected by this vulnerability.

This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.

This is a relatively old attack vector. By design, Microsoft antimalware products, including Windows Defender Antivirus, have never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.

Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:


*Edited 11/17/2017 to include other Microsoft antimalware products


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.