DeepSec 2024 Talk: Windows Defender Internals – Baptiste David
Microsoft Defender Antivirus (aka Windows Defender) is an antivirus deployed worldwide and used by default on every Windows out-of-the-box. We all use it but who knows exactly how it really works? What is inside this software trusted by many people and companies across the world? This talk is the first one providing such a view about Windows Defender internals, from kernel mode to user-mode, based on extensive reverse engineering research work. With the recent world-wide BSOD of CrowdStrike antivirus, it matters to understand how an antivirus work, what it really monitors, and how some designs are prone to error or security issues. During this talk, we see that such a highly privileged software is just another Deus Ex Machina, not only for regular malware analysis but also for many security features on Windows.
This talk will start with a deep dive into the kernel mode modules of Windows Defender. The different filters initialized in kernel modes and the different technologies used to get access to real time information on the system will be presented. That will make up the basis to describe the actual architecture of Windows Defender, which is a large software composed of many modules. With this design in mind, it will be the perfect occasion to discuss different approaches when designing an antivirus, especially regarding to CrowdStrike.
Subsequently, we will detail the user-mode service MsMpEng.exe and the main modules constituting it. The goal is to have an overview of the different features proposed by the antivirus, how to interface with them (based on unpublished details), how the antivirus ensures its own security, and the internal details of the initialization of Windows Defender (database retrieval, internal configuration management, update procedure, etc.). Thus, we can explain how the system analyzes a file in memory, how Windows Defender’s configuration works, and how the system considers the result. In this way, this will be the most complete overview of Windows Defender service as never shown before.
Since Windows Defender is a massive software, we propose to illustrate the talk with an introduction to the new feature called “Smart App Control” (SAC), released within Windows 11, and based on Windows Defender. The RPC interface used by Smart App Control and related to Windows Defender will be presented. This way, anyone can see the different septs in analyzing a file in the context of this new feature, and especially the set of information disclosed to the cloud of Microsoft when a program is about to be executed.
In the end, this journey into the internals of Windows Defender will provide each participant with a clear overview of how antivirus software works, its core characteristics, and what can be observed in the quality of some. A good way to make an educated choice when choosing an antivirus, by understanding how it works, and not just relying on the marketing work of the software vendor.
We asked Baptiste a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Antivirus came back to the front of the stage these last months after a massive BSOD. And we all heard a lot about EDR/XDR/antivirus but few about internal details of them. This talk is here to fill the gap and explain what happens in such a software “behind the stage”.
- The talk is about reverse engineering but promise, there is no need to speak assembly or any cryptic highly technical stuff to follow it. In fact, reverse engineering is fundamentally about sharing. And in this talk, there’s a real work of simplicity without ever sacrificing accuracy. When we’re kids, we always want to know how things work, why it’s like that, we’re immensely curious. I don’t think I’ve ever really lost my curiosity, and I’m still amazed at what you can do with computers. Sharing this is what drives me, I love to share.
- Understanding a program like Windows Defender is like reading an encyclopaedia on how security software works. We understand how such software was written, its history, its evolutions, the logic of the people who wrote it. This talk is also a master class on how Windows 10/11 works and the technology behind it.
- Understanding antivirus software means understanding how it works, what it can do, how it does it, and where its limits lie. More generally (and beyond the anti-virus world), it’s also about making sure we know how the software we install on our machines works. Not trusting software publishers by default but having the ability to control and evaluate what runs on our machines. This is a significant change of logic. Because it allows us to make enlightened choices about software, not to just believe in it.
- These days, we’re hearing more and more about AI and user data protection. But what’s really going on? Behind these concepts, there’s a reality, a reality implemented in programs. And it’s only when we analyse these programs that we really know what they’re all about.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
In fact, it was German Federal Office for Information Security (BSI) who asked us what we could explain concerning the latest security feature released under Windows 11: Smart App Control. A feature that aims to allow only software considered legitimate to run, via Microsoft’s AI capabilities. In fact, the feature studies your software usage and tells us whether it can protect us. Our analysis of this feature soon encouraged us to turn our attention to Windows Defender, since they are highly connected. We therefore have reversed Windows Defender (also known as Microsoft Antivirus Defender). In reverse engineering, to explain a single function, we sometimes must explain hundreds of others that are directly related to the first. In the end, we had a broad and detailed view of Windows Defender. A view we’ve never seen anywhere else. We thought it important to share it.
Why do you think this is an important topic?
Security software like Windows Defender analyses everything that happens on our machine. Why don’t we inspect it too? The recent CrowdStrike crash reminded us that this sensitive software is deeply embedded in our machines. One mistake, one wrong move, and the consequences can be dramatic. It makes sense to analyse this kind of critical software in our systems. Not to trust them by default.
Is there something you want everybody to know – some good advice for our readers, maybe?
I do my very best to build my talks by always asking myself what’s useful. What’s useful for the people who come, what would have been useful to me in their shoes? I must explain and be understood by everybody. A talk is more than just some gibberish explanation, a given result, a demo, a GitHub link to a tool and goodnight. It also means making things understandable, by explaining things, and by saying complex things in a simple way. It’s not always easy. We are sometimes reluctant to go and see a talk about reverse engineering. We think it will be complicated, that we will not understand, that “it’s not our world”. But I sincerely invite curious people to see the talk. We can learn a lot about computer security by knowing how the security software works.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I have never been very good at predictions. I explain more often what has happened (in a software) than what will happen. But maybe I can share a hope with you. The hope that more time will be spent analysing the software that everyone uses on their machines. There is a lot of software that runs without anyone knowing what happens. And sometimes, by the time we do know, it is too late (a vulnerability has been exploited, the machine is in BSOD, …). Perhaps the time has come to think ahead and require greater transparency regarding the software codes installed on machines. The case of Windows Recall, which was recently reversed, changed Microsoft’s plans, and forced it to rethink its design. And this was only possible because the new functionality was analysed by reversers. Perhaps we should generalize this to other companies, software, whose responsibilities are just as important as Microsoft’s ones in our lives?
Dr. Baptiste David is an IT security specialist at ERNW, specialized in Windows operating system. His research is mainly focused on malware analysis, reverse engineering, security of the Windows operating system platform, kernel development and vulnerabilities research. He has given special courses and trainings at different universities in Europe. Also, he gives regularly talks at different conferences including Black Hat USA, Defcon, Troopers, Zero Night, Cocon, EICAR, ECCWS…