Deep Dive into Windows Defender: Smart App Control and ETW
This talk is a deep dive into Microsoft Defender Antivirus (aka “Windows Defender”), revealing how it works and providing unpublished details. We present its general architecture, how it initializes (database retrieval, internal configuration management, update procedure, etc.), how it is possible to interface with it through various undocumented RPC interfaces, how it ensures its own security, how it scans a file in memory, and more. Furthermore, we look at two interesting features: “Smart App Control” (SAC), which was released within Windows 11, and the data that Windows Defender receives from Event Tracing for Windows (ETW).
The SAC feature relies on multiple components of Windows 11, starting from the kernel within Windows Defender Application Control (WDAC) and finishing in Microsoft Defender Antivirus, notifying Microsoft’s cloud environment. This talk explains how “Microsoft’s app intelligence” selects which application can be trusted on the system. Furthermore, the different operation modes and phases are discussed. What happens during the “evaluation” phase? And how can the feature switch “on” or “off”?
Then, we detour through Windows Defender’s ETW sessions to understand what the Antivirus can observe through them. Following a practical example, we show how Windows Defender’s ETW providers can be used during an antivirus analysis to trace relevant steps of process injection techniques. Furthermore, we discuss how to perform ETW provider discovery. We show how to enumerate providers of ETW sessions and show how to find which providers are implemented in which executable files.
In the end, a comprehensive discussion will consider security aspects regarding Windows Defender, especially information disclosure to Microsoft, self-security of the Antivirus, and the potential for information tampering . Our analysis, based on reverse engineering work, provides a comprehensive understanding of Windows Defenders’ inner workings. It shows how Windows Defender builds upon existing technologies for further features, detailing also other subcomponents of Windows Defender.