Tag Archive: Antimalware

Defender performance analyzer

Sometimes when real-time protection and on-demand scanning takes a bit of time. It’s sometimes difficult to see exactly what it’s doing and what takes time.

A new set of PowerShell cmd-lets have been released which allows us to do a performance recording of defender, New-MpPerformanceRecording and Get-MpPerformanceReport, and troubleshooting performance.

When showing the help of the cmd-let we can see that there are two parameters

  • -RecordTo <string>: The path of the outputfile
  • -Seconds <int>: Number of seconds to run the recording

The seconds parameter is useful when running none-interactive sessions against multiple devices

Using the performance recorder

In PowerShell, we use the command New-MpPerformanceRecording and specify the output .etl file.

New-MpPerformanceRecording -RecordTo .\scan.etl

This will start the recorder

We can press Enter at any time to stop the recording and Ctrl-C if we want to abort.

The output file is saved and we can now open it with the cmd-let Get-MpPerformanceReport

The cmd-let allows us to look at the data in different ways

  • -TopFiles
  • -TopScansPerFile
  • -TopProcessesPerFile
  • -TopScansPerProcessPerFile
  • -TopExtensions
  • -TopScansPerExtension
  • -TopFilesPerExtension
  • -TopScansPerProcess
  • etc…

Example

Get-MpPerformanceReport -Path .\scan.etl -TopFiles 1

Another example of output

Since it’s a ETL file we can actually open it with any ETL viewer, however, the result is not presented to us in the same way

Using PerfView as an example of opening etl files

We can see that Windows Performance Recorder is used under the hood

IMPORTANT, If you plan to use this troubleshooting to find paths for exclusions, be very careful. You might accidently open up your device to threats. If you are not 100% certain of your exclusions, please ask for help!

Happy Hunting!

/Sec-Labs Team

CVE-2017-0290 – RCE in The Microsoft Malware Protection Engine

Last Friday, Tavis Ormandy and Natalie Silvanovich reported that they had discovered “the worst Windows remote code exec in recent memory”.

The vulnerability was reported to Microsoft who released an advisory: https://technet.microsoft.com/library/security/4022344.aspx

The good thing, no action is requred by the Enterprise administrators if default configuration to automatic upate definitions and the Malware Protection Engine are kept up to date.

Otherwise, patch now!

From the advisory:

Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

CVE ID Vulnerability Title Exploitability Assessment for
Latest Software Release
Exploitability Assessment for
Older Software Release
Denial of Service
Exploitability Assessment
CVE-2017-0290 Scripting Engine Memory Corruption Vulnerability 2 – Exploitation Less Likely 2 – Exploitation Less Likely Not applicable

 

To exploit this vulnerability a special crafted file has to be scanned by the system. The file can be delivered in numerous ways – Via WEB, attachment etc.

The real-time scan will automatically scan the files and this funtionality is nothing you should disable.
The real-time scan runs on file shares so this vulernability doesn not only apply on clients

Affected products

Antimalware Software Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290
Microsoft Forefront Endpoint Protection 2010 Critical
Remote Code Execution
Microsoft Endpoint Protection Critical
Remote Code Execution
Microsoft Forefront Security for SharePoint Service Pack 3 Critical
Remote Code Execution
Microsoft System Center Endpoint Protection Critical
Remote Code Execution
Microsoft Security Essentials Critical
Remote Code Execution
Windows Defender for Windows 7 Critical
Remote Code Execution
Windows Defender for Windows 8.1 Critical
Remote Code Execution
Windows Defender for Windows RT 8.1 Critical
Remote Code Execution
Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703 Critical
Remote Code Execution
Windows Intune Endpoint Protection Critical
Remote Code Execution

 

Actions:

  • Verify that the update is installed
  • If necessary, install the update

For further information:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5