Martijn Lammerts
My own digital place with a little of everything

Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses

11 December 2017
Windows Defender Antivirus uses a layered approach to protection: tiers of advanced automation and machine learning models evaluate files to reach a verdict on suspected malware. While Windows Defender AV detects a vast majority of new malware files at first sight, we always strive to further close the gap between malware release and detection. In...
Continue reading...

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

5 December 2017
Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet. The disruption is the culmination of a journey that started in...
Continue reading...

Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’

4 December 2017
Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats. Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for “living off the land”—staying away from the...
Continue reading...

New tech support scam launches communication or phone call app

20 November 2017
A new tech support scam technique streamlines the entire scam experience, leaving potential victims only one click or tap away from speaking with a scammer. We recently found a new tech support scam website that opens your default communication or phone call app, automatically prompting you to call a fake tech support scam hotline.  ...
Continue reading...

#AVGater vulnerability does not affect Windows Defender Antivirus

14 November 2017
On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file. Windows Defender Antivirus is not affected by this vulnerability. This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product....
Continue reading...

Detecting reflective DLL loading with Windows Defender ATP

13 November 2017
Today's attacks put emphasis on leaving little, if any, forensic evidence to maintain stealth and achieve persistence. Attackers use methods that allow exploits to stay resident within an exploited process or migrate to a long-lived process without ever creating or relying on a file on disk. In recent blogs we described how attackers use basic...
Continue reading...

Mitigating and eliminating info-stealing Qakbot and Emotet in corporate networks

6 November 2017
The threat to information is greater than ever, with data breaches, phishing attacks, and other forms of information theft like point-of-sale malware and ATM hacks becoming all too common in today's threat landscape. Information-stealing trojans are in the same category of threats that deliver a steady stream of risk to data and can lead to...
Continue reading...

Windows Defender Exploit Guard: Reducing the attack surface with next-generation host intrusion prevention

23 October 2017
Windows Defender Exploit Guard is a new set of intrusion prevention capabilities that ships with the Windows 10 Fall Creators Update. The four components of Windows Defender Exploit Guard are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their...
Continue reading...