
Windows Defender Antivirus and layered machine learning defenses - Lukas_Skywalker
https://blogs.technet.microsoft.com/mmpc/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses/
======
hs86
Will they do anything about its terrible performance? According to [1] the
Windows Defender causes a 5x increase of Chrome's build times and it delays a
process start by 260 ms.

[1]
[https://twitter.com/BruceDawson0xB/status/940747236614574080](https://twitter.com/BruceDawson0xB/status/940747236614574080)

~~~
cptskippy
What measure are you using to determine the performance is terrible? As a
developer, I have always had issues with Antivirus. If your compile times are
crap then AV should be one of the first things you try disabling.

Hell, I've had overly aggressive AV (McAfee) locking files in temp data
folders causing performance to falter in running applications (Visual Studio,
Pidgin, Outlook, Office).

Why does the end user care about compile times?

~~~
Someone1234
I've had the same experience, I've just taken to whitelisting all of the
cache, assembly, and lib folders throughout the workflow (and processes).

Never found an AV which didn't seriously hamper build times, since building
often involves a lot of process start/stops and new small files, both of which
are kryptonite to AV.

MalwareBytes Enterprise recently got completely uninstalled as it was locking
random files during compilation indefinitely. They have a fix but only for the
consumer branch.

------
wjnc
This is both pretty impressive and pretty scary. Impressive to detect new
malware with such a low N. This massively changes the economics of creating
malware. Scary now that pretty much any file that flags as suspicious locally
can be sent to the cloud for further inspection. That would seem a no go for
many corporate clients?

~~~
mtgx
It's how Reality Winner's NSA files were sent to Kaspersky, too.

Just some food for thought. I never trust any "cloud-based" antivirus
solution.

~~~
ganoushoreilly
Reality winter printed out a classified document at work, I think you're
confusing her with Nghia Pho, whom appears to have been the Kaspersky leak
victim.

------
booleandilemma
I’ve been recommending msft antivirus to my tech illiterate family over
symantec/mcafee/avast/whatever since win7.

~~~
ganoushoreilly
It's extremely effective on win10 without creating further security issues
with the cabal of AV products out there. We tell our clients save the cash,
use Defender, and invest in other more effective technologies in the stack.

~~~
giancarlostoro
At my old job we used Defender and Deep Freeze. Never had any incidents.

------
dfox
One thing I'm very eager to see is how Defender and Microsoft in general will
interact with various third-party AV and "enterprise security" solutions which
almost invariably contain rootkit-ish/malware-ish modules.

------
cjsuk
Does it still run as SYSTEM? If so, fix that and come back later please.

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1282&desc=2)

~~~
ksk
Can you explain what you mean by "fix that"? How is that helpful? I read your
link and it doesn't provide any actionable items.

In any case, it doesn't "run as SYSTEM". The invoking credentials for a
process are not necessarily relevant on a kernel like NT. A process can choose
modify its security token after process invocation. For e.g. User mode apps,
can downgrade their read/write rights, limiting them to a fixed directory, so
even if they had exploitable bugs, the damage could be limited. Chrome on
windows uses these same protections. I'm sure similar tech exists on competing
kernels.

MsMpEng.exe AFAICT runs as a 'system protected process'. Certainly, it looks
like there were severe bugs but its not clear where the bugs lie. It could be
that the protection mechanism itself is flawed (which would be very bad), or
maybe the way it's being used is incorrect, etc etc

~~~
Someone1234
Different poster...

Certain parts of an AV product need to run with the top-most privileges. But
that component should be relatively lean, and quickly hand off dangerous work
to lower-privilege, memory isolated, processes.

Windows Defender has a process called NScript which is a full JavaScript
processing engine, running in SYSTEM. A JavaScript engine is inherently
complicated enough to have bugs, and running as SYSTEM with no isolation could
allow escalating a bug into a full blown code execution just by visiting a web
page. None of this is theoretical, it was found and exploited May 2017 [0].

You're correct in saying that Windows does allow more nuanced token control
than the full user's context, but I'm yet to read that Windows Defender
actually utilises that. None of the previous bugs have been stopped by low-
priv style access control, it has been a full SYSTEM leak. Do you have
specific information about Windows Defender which suggests they're using
voluntary revocation of token privileges?

[0] [https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1252&desc=5)

~~~
ksk
>Do you have specific information about Windows Defender which suggests
they're using voluntary revocation of token privileges?

Sure, just dump the security token for MsMpEng.exe. Here it is:
[https://pastebin.com/ukMPUWA7](https://pastebin.com/ukMPUWA7)

IntegrityLevelIndex is 01, MandatoryPolicy is 0x3 , Privs are a subset of the
full list.

[https://www.nirsoft.net/kernel_struct/vista/TOKEN.html](https://www.nirsoft.net/kernel_struct/vista/TOKEN.html)

[https://msdn.microsoft.com/en-
us/library/windows/desktop/bb5...](https://msdn.microsoft.com/en-
us/library/windows/desktop/bb530716\(v=vs.85\).aspx)

[https://msdn.microsoft.com/en-
us/library/windows/desktop/bb3...](https://msdn.microsoft.com/en-
us/library/windows/desktop/bb394728\(v=vs.85\).aspx)

[https://msdn.microsoft.com/en-
us/library/bb625963.aspx](https://msdn.microsoft.com/en-
us/library/bb625963.aspx)

