Microsoft really wants you to know that its anti-malware, once an industry laggard, is today the best option for Windows 10 machines.
Tanmay Ganacharya, general manager of Microsoft ATP security research, told ZDNet there are sound reasons why its defenses are now the primary antivirus on more than half a billion devices.
Barely a week goes by without Microsoft posting a new blog boasting about sophisticated attacks that its cloud and on-machine anti-malware systems have stopped. It argues its use of machine-learning detection models succeed where traditional antivirus fails.
In June, the company recounted how it foiled Astorath malware targeting organizations in Brazil and attempting to evade detection by using tools like the Windows Management Instrumentation Command-line (WMIC).
The attacks exclusively used legitimate Windows tools to download code that executes only in memory, making it one of a growing number of so-called fileless attacks, since no executable runs on disk. Using legitimate tools – a strategy called ‘living off the land’ – also makes it harder for antivirus to detect.
More recently, the Microsoft Defender ATP Research team explained how its machine-learning models have been hardened against a specific type of adversarial attack that did work against the detection models used by BlackBerry-owned security company Cylance.
Microsoft employs a particular ‘monotonic’ machine-learning model that is resistant to gaming by attackers who are stuffing malware with ‘clean’ signals, with the knowledge that most machine-learning malware detection models are trained on a mix of malicious and clean signals.
A popular method to boost clean signals is to digitally sign files with trusted but fraudulently obtained code-signing certificates. The infamous LockerGoga ransomware that wreaked havoc on metal maker Norsk Hydro earlier this year used this tactic.
And yesterday the Microsoft Defender ATP team talked up a feature it introduced last year, a ‘hardware-rooted’ virtualization-based security called ‘runtime attestation’. The technique tripped up a kernel-based token-swap attack. The token includes details about the privileges of the user account associated with a process.
“Token theft attacks are rampant because they can allow adversaries to use access tokens to operate using different user accounts or under different system security contexts to perform malicious actions and evade detection,” explained researchers from Microsoft Defender ATP.
According to Ganacharya, these investments in machine learning and cloud-based security, plus improvements to its client-side software, have helped drive the share enjoyed by Windows Defender, now known officially known as Microsoft Defender, to over half the Windows ecosystem.
“Windows Defender already has more than a 50% share in the Windows ecosystem. So that’s more than half a billion machines that are running Windows Defender in an active mode as the primary antivirus. And it has grown pretty significantly and is among the best now.”
Despite improvements to its own security products, the sheer size of Windows Defender’s market share now threatens to make its machine-learning models a greater target.
“Windows Defender is protecting more than 50% of the Windows ecosystem, so we’re a big target, and everyone wants to evade us to get the maximum number of victims,” said Ganacharya.
“We’ve predicted this is going to happen, and this is why we invested in this before it happened.”
But more danger lurks around the corner as advanced techniques used by state-backed hackers, for example, to steal information, filter down to financially-motivated attackers. This threat applies to the continuing growth of fileless malware, supply-chain attacks, and phishing.
“We’re seeing the trend of advanced techniques being used to deliver commodity malware. Once the advanced technique becomes public knowledge, this next section of actors use it, like Dofoil,” Ganacharya said.
“It was a coin-miner. It wasn’t trying to steal valuable information, it was just trying to make money by mining coins.”
A massive Dofoil outbreak occurred in early 2018, infecting 400,000 PCs within hours through a popular BitTorrent client. Just over half a year earlier, NotPetya spread rampantly across several global companies, including Maersk and Mondalez, after their Ukraine-based offices installed an update from a widely-used Ukraine accounting software package.
“Supply-chain attacks are also a really great way to attack because you’re leveraging trusted channels already established in customers’ networks to deliver your payload from. I don’t think we’re past the rise of the supply-chain attack,” said Ganacharya.
And the one style of attack that isn’t going away any time soon is phishing, which Ganacharya notes is useful when exploitation becomes hard.