Windows Defender - Demystifying and Bypassing ASR by Understanding the AV's Signatures

Dive into the intricacies of Windows Defender's undocumented signature format in this 39-minute Black Hat conference talk. Explore the inner workings of Windows' built-in antivirus software, focusing on Attack Surface Reduction (ASR) and its implementation. Learn about Windows Defender internals, signature modules, and update mechanisms. Discover techniques for signature evasion and bypassing ASR rules, valuable for security auditors and penetration testers. Gain insights into LUA scripts, DBVAR signatures, and the peculiarities of Windows Defender's update process. Presented by Camille Mougey, this talk demystifies Windows Defender's complex architecture and provides practical knowledge for both defensive and offensive security professionals.

Intro
ASR: Attack Surface Reduction
Journey
Windows Defender 101
Exploring WD internals
WD: instrumentation
Test your skills!
Hunting for ASR rule implementation
Windows Defender signatures
Reading LUA scripts
ASR: Implementation?
ASR implementation. 2 way
ASR Test Tool: implementation
ASR: working test
ASR: exclusion
ASR: additional bypass
ASR: oddities
Signature format
Signatures modules
Specifics Threat
Signature: LUA
Signature: DBVAR
Signatures: update
Update rhythm
Update: oddities
Update: diffing - Friendly Files
Update diffing: C&C
Update diffing: unnecessary changes