Microsoft Defender Will Be Defended: MemoryRanger Prevents Blinding Windows AV

TL;DR

This paper presents MemoryRanger, a hypervisor-based solution that defends Microsoft Defender against kernel-mode driver attacks by restricting unauthorized access to kernel structures, effectively preventing disabling techniques without significant performance impact.

Contribution

The paper introduces MemoryRanger, a novel hypervisor-based approach to protect Windows Defender from kernel driver attacks, analyzing attack methods and demonstrating effective defense mechanisms.

Findings

MemoryRanger successfully blocks kernel driver attacks on Defender.

MemoryRanger restricts unauthorized kernel data access with minimal performance impact.

Kernel attacks can disable Defender without process termination or security triggers.

Abstract

Windows OS is facing a huge rise in kernel attacks. An overview of popular techniques that result in loading kernel drivers will be presented. One of the key targets of modern threats is disabling and blinding Microsoft Defender, a default Windows AV. The analysis of recent driver-based attacks will be given, the challenge is to block them. The survey of user- and kernel-level attacks on Microsoft Defender will be given. One of the recently published attackers techniques abuses Mandatory Integrity Control (MIC) and Security Reference Monitor (SRM) by modifying Integrity Level and Debug Privileges for the Microsoft Defender via syscalls. However, this user-mode attack can be blocked via the Windows 'trust labels' mechanism. The presented paper discovered the internals of MIC and SRM, including the analysis of Microsoft Defender during malware detection. We show how attackers can attack Microsoft Defender using a kernel-mode driver. This driver modifies the fields of the Token structure allocated for the Microsoft Defender application. The presented attack resulted in disabling Microsoft Defender, without terminating any of its processes and without triggering any Windows security features, such as PatchGuard. The customized hypervisor-based solution named MemoryRanger was used to protect the Windows Defender kernel structures. The experiments show that MemoryRanger successfully restricts access to the sensitive kernel data from illegal access attempts with affordable performance degradation.